https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23151#M16881 <HTML><HEAD></HEAD><BODY><P>Hello Choff,</P><P></P><P>Please make sure service route for CRL updates to an ip address where it can communicate to internet.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Sat, 14 Dec 2013 12:30:13 GMT hyadavalli 2013-12-14T12:30:13Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23149#M16879 <HTML><HEAD></HEAD><BODY><P>Im getting tons of failed to get CRL errors in my logs all of the sudden. Im not sure what I did (if anything) to cause this.</P><P>Ive tried to fix it,</P><UL><LI>I tried to enable&nbsp; "Server CRL"</LI><LI>I did a nslookup on crl.verisign.com and I cant see any connections outbound being denied.</LI></UL><P>I cannot fix this.</P><P><STRONG>Any sugestions on how to fix this?</STRONG></P><P><STRONG>What is this even for? </STRONG>I was not aware that the firewall was downloading any&nbsp; CRLs, could it be part of SSL Decrypt? THe admin prior to me tries to get SSL Decrypt working but eh 4xxx serise do not support it (its broken/buggy)</P><P></P><P>Any help appreciated, thanks.</P><P></P><P><IMG alt="crl errors.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8769_crl errors.JPG.jpg" style="width: 620px; height: 267px;" /></P></BODY></HTML> Wed, 02 Oct 2013 15:47:41 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23149#M16879 choff123 2013-10-02T15:47:41Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23150#M16880 <HTML><HEAD></HEAD><BODY><P>Need to ensure the Palo Alto can resolve these addresses as well as ensure that outbound connections from the device via the service route (management interface default) are allowed.&nbsp; If this does not resolve your issue please open a support ticket.</P></BODY></HTML> Sat, 14 Dec 2013 00:51:38 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23150#M16880 JimS2 2013-12-14T00:51:38Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23151#M16881 <HTML><HEAD></HEAD><BODY><P>Hello Choff,</P><P></P><P>Please make sure service route for CRL updates to an ip address where it can communicate to internet.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Sat, 14 Dec 2013 12:30:13 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23151#M16881 hyadavalli 2013-12-14T12:30:13Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23152#M16882 <HTML><HEAD></HEAD><BODY><P>Here's another approach. If it began to happen after you made some config changes and if you're not sure what was changed, maybe you can look at config log (Monitor =&gt; Logs =&gt; Configuration) to see if there's any corresponding change.</P><P>- Yasu</P></BODY></HTML> Mon, 16 Dec 2013 07:41:51 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23152#M16882 ymiyashita 2013-12-16T07:41:51Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23153#M16883 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>we had the same issue. You have to create a new firewall policy allowing the MGT interface of the PA to download the CRLs.</P><P>Take a look how we solved it:</P><P><IMG alt="2.JPG.jpg" class="jive-image" height="81" src="https://live.paloaltonetworks.com/legacyfs/online/10382_2.JPG.jpg" width="851" /></P><P>With a custom URL category we allowing the crl sites:</P><P><IMG alt="1.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/10383_1.jpg" style="width: 620px; height: 656px;" /></P><P></P><P>So you have check the system logs and enter each URL in the custom URL category.</P><P></P><P><BR /> </P></BODY></HTML> Wed, 18 Dec 2013 14:24:59 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-get-crl-http/m-p/23153#M16883 Hithead 2013-12-18T14:24:59Z