topic Re: Override url ocsp and responder ocsp global protect VPN in General Topics

Override url ocsp and responder ocsp global protect VPN

HAINVH — Mon, 29 Jun 2026 14:56:38 GMT

Hi everyone,

present, i have VPN global protec

Authentication two factor with certificate and radius, by interface management

The current setup is as follows:

The Palo Alto firewall acts as both the gateway and the OCSP responder.
The OCSP responder is configured to use the management IP address, and the OCSP Override URL also points to the management IP.

Because certificate validation relies on the management IP, a failover to the HA peer causes certificate validation to fail. In addition, having only a single management link creates a potential single point of failure.

To improve resiliency, I would like to use either a data-plane IP address or a loopback IP address as the OCSP responder, and configure the OCSP Override URL to point to that loopback or data-plane IP instead.

However, I’ve tried several configurations without success.

Could you please help me understand how to achieve this?

with 1000user i dont want create new all

Re: Override url ocsp and responder ocsp global protect VPN

JayGolf — Tue, 30 Jun 2026 01:18:10 GMT

Hi @HAINVH ,

What have you tried so far?

You should be able to host OCSP on an alternate interface instead of tying it to the management IP.

A few things I would be mindful of:

The interface should have an Interface Management Profile applied with HTTP OCSP enabled.
The OCSP responder hostname/IP should resolve to the data-plane or loopback interface.
Routing and security policy need to allow the OCSP traffic.

Re: Override url ocsp and responder ocsp global protect VPN

HAINVH — Tue, 30 Jun 2026 03:51:09 GMT

I have already created an Interface Management Profile with HTTP and OCSP enabled and applied it to the loopback interface, but it still doesn't work.

I have another question. When the Palo Alto device acts as both the gateway and the OCSP responder, do I need to configure any additional routing or security policies for this to work?

Or are you referring to configuring a Service Route instead?

Re: Override url ocsp and responder ocsp global protect VPN

JayGolf — Tue, 30 Jun 2026 13:41:44 GMT

Hi @HAINVH ,

Gotcha, thanks for the info.

You’ll want to make sure DNS, routing, and security policy are in place so your GlobalProtect clients can resolve and reach the OCSP URL on the loopback address to check certificate status.

The flow should look something like this:

GP client resolves the OCSP hostname to the loopback IP → traffic comes from the GP zone → traffic is allowed to the OCSP/Loopback zone

For example:

GP Users → GP Zone → OCSP/Loopback Zone