topic Re: How to allow only X.509 related cert validation traffic from trust to Untrust in General Topics

How to allow only X.509 related cert validation traffic from trust to Untrust

Ismail2017 — Mon, 04 Apr 2022 16:49:01 GMT

Re: How to allow only X.509 related cert validation traffic from trust to Untrust

S.Cantwell — Tue, 05 Apr 2022 18:22:59 GMT

Please provide additional detail/context. Thank you.

Re: How to allow only X.509 related cert validation traffic from trust to Untrust

Ismail2017 — Tue, 05 Apr 2022 18:31:36 GMT

Hi Steve,

We like to block as much as outbound traffic. we noted that most of windows servers are reaching to Internet to validate the certificate and digital signature. my question is that At PAN level, is there any way to identify such traffic and block or allow it.

Re: How to allow only X.509 related cert validation traffic from trust to Untrust

S.Cantwell — Tue, 05 Apr 2022 19:53:13 GMT

It you are able to take a wireshark trace and capture the data that is transmitted by the servers, it is possible for customers to create a custom application that will parse your traffic and if you deny the traffic, then yes, it can be done... It is all up to you, as the end customer, to put the work into determining what that traffic signature would look like.
Share with us what you find out, as you are probably not the only one who would want to do this.

BTW, does the traffic show up in the Traffic Logs as ssl on port 443, or some other way to identify it. You seemed to know exactly what you are looking for, so I am curious did you do previous packet captures in the past. I have not seen anyone get to this level of granularity, as cert validation is very important, as someone could attempt to spoof a trusted root CA.

Have you attempted to contact MS to see if they have any mechanism in place to reduce the amount of "check-in" traffic that their OS is configured to use? May be another way to do it.

Re: How to allow only X.509 related cert validation traffic from trust to Untrust

BPry — Tue, 05 Apr 2022 20:10:52 GMT

@Ismail2017,

Maybe I'm missing something, but all of this should just be straightforward OCSP traffic that happens over tcp/80. The firewall should be identifying all of that traffic properly, so you should be able to just allow OCSP traffic under application-default and that would allow for revocation checks to complete without issue.

Re: How to allow only X.509 related cert validation traffic from trust to Untrust

Ismail2017 — Thu, 07 Apr 2022 00:50:31 GMT

Hi SteveCantwell and Bpry,

I performed the below test but no conclusion yet. At server , I initiated traffic using IE ( proxy disabled status) to https://www.verizon.com ( example) , I checked the Firewall log i do not see any traffic related to OCSP. In fact i saw the below info the Verizon cert, But I do not see any traffic to *.digicert.com @ PAN.

My goal is to only allow X.509 related traffic from trust to Untrust, the problem is unable to identify these traffic in PAN. can you share your suggestion

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=http://crl3.digicert.com/sha2-ev-server-g3.crl

[2]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=http://crl4.digicert.com/sha2-ev-server-g3.crl