https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24704#M17998 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>Hopeing you can answer a couple of questions I have regarding SSL certificates.</P><P></P><P>1) How does the Palo Alto device itself handle SSL when it is doing interception? Can you set that it would block traffic when for example, an online banking sites certificate has expired, force OCSP, etc.</P><P><BR />2) How does the Palo Alto maintain its own list of CAs, can we remove CAs from the list</P><P></P><P>Hope this make sence</P><P></P><P>Marc</P></BODY></HTML> Wed, 08 Jun 2011 11:50:01 GMT migration 2011-06-08T11:50:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24704#M17998 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>Hopeing you can answer a couple of questions I have regarding SSL certificates.</P><P></P><P>1) How does the Palo Alto device itself handle SSL when it is doing interception? Can you set that it would block traffic when for example, an online banking sites certificate has expired, force OCSP, etc.</P><P><BR />2) How does the Palo Alto maintain its own list of CAs, can we remove CAs from the list</P><P></P><P>Hope this make sence</P><P></P><P>Marc</P></BODY></HTML> Wed, 08 Jun 2011 11:50:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24704#M17998 migration 2011-06-08T11:50:01Z https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24705#M17999 <HTML><HEAD></HEAD><BODY><P>Pan handles encrypted&nbsp; traffic as the man in the middle, however we do not give you the option of blocking based on certificate expiration.</P><P>List of CA's&nbsp; is normally maintained by software release, CA,s cannot be removed from this list as far as I know.</P></BODY></HTML> Thu, 09 Jun 2011 01:54:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24705#M17999 gsamuels 2011-06-09T01:54:58Z https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24706#M18000 <HTML><HEAD></HEAD><BODY><P>PAN provides you with the option to set OCSP, in the admin guide (Page 34, PANOS v4) it says you have the option to "Block Unknown Certificates" </P><P>What does this option actually do?</P><P>Would it not block traffic if the certificate had expired or was unknown ?</P><P></P><P>Marc</P></BODY></HTML> Thu, 09 Jun 2011 05:31:59 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24706#M18000 migration 2011-06-09T05:31:59Z https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24707#M18001 <HTML><HEAD></HEAD><BODY><P>No this option does not take the expiration of the certificate as part of he decision making process, this would normally be caught by the client browser.</P></BODY></HTML> Fri, 10 Jun 2011 00:57:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-certificates/m-p/24707#M18001 gsamuels 2011-06-10T00:57:49Z