https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-vpn-and-certificates-to-cut-vpn-access-when-the/m-p/557883#M113163 <P>Hello team,</P> <P>&nbsp;</P> <P>I need to know How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.</P> <P>&nbsp;</P> <P>I have revoked a certificate into the Firewall but I can connect anyway from VPN.... I am using on my GlobalProtect connection and the connections are working fine, I need to cut this connection when the certificate is revoked, can anyone help me?</P> <P>&nbsp;</P> <P>Regards</P> Thu, 14 Sep 2023 08:04:38 GMT Alpalo 2023-09-14T08:04:38Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-vpn-and-certificates-to-cut-vpn-access-when-the/m-p/557883#M113163 <P>Hello team,</P> <P>&nbsp;</P> <P>I need to know How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.</P> <P>&nbsp;</P> <P>I have revoked a certificate into the Firewall but I can connect anyway from VPN.... I am using on my GlobalProtect connection and the connections are working fine, I need to cut this connection when the certificate is revoked, can anyone help me?</P> <P>&nbsp;</P> <P>Regards</P> Thu, 14 Sep 2023 08:04:38 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-vpn-and-certificates-to-cut-vpn-access-when-the/m-p/557883#M113163 Alpalo 2023-09-14T08:04:38Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-vpn-and-certificates-to-cut-vpn-access-when-the/m-p/557892#M113165 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a> ,</P> <P>The certificate are form of authentication. Which means they are used when user is initiating a connection to the firewall.</P> <P>Revoking certificate does not affect currently established connection, the&nbsp; same way&nbsp; as disabling user account would disconnect the user if he has connected with username and password.</P> <P>&nbsp;</P> <P>You need to manually disconnect the GP client from the gateway - if there is currently established session.</P> <P>&nbsp;</P> <P>To prevent the user from connecting again you need to enable CRL or OCSP check in Ceritificate Profile that you assign for your GP Portal/Gateway. Look&nbsp; at section 8.Certificate Profile, step 7 on the following link - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK</A> </P> <P>&nbsp;</P> <LI-CODE lang="markup">7. (optional) Check CRL or OCSP if the portal/gateway needs to verify the client/machine cert's revocation status using CRL or OCSP. Please use this with caution as it can result in clients failing to connect if used in conjunction with 'Block session if certificate status is unknown'.</LI-CODE> <P>&nbsp;</P> <P>Note that above is assuming you are&nbsp; using internal PKI, to which firewall has access from its dedicated mgmt interface.</P> <P>If you are using self-signed&nbsp; CA that is generated by the firewall you will need to enable OCSP reponder as described here - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK</A></P> Thu, 14 Sep 2023 08:39:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-vpn-and-certificates-to-cut-vpn-access-when-the/m-p/557892#M113165 A_Astardzhiev 2023-09-14T08:39:32Z