topic Re: OCSP service route? in General Topics

OCSP service route?

mr.linus — Wed, 29 May 2013 11:47:13 GMT

Question: What service route does the PA take for his OCSP requests?

Since we can not choose anything under the service routes, I suppose it will use the management as default...

Is there any way to change this to some other interface?

Linus

Re: OCSP service route?

DavePalo — Wed, 29 May 2013 12:31:37 GMT

Hi Linus,

The CRL-status service route may be worth a try if you have not done so already?

Regards,

Dave

Re: OCSP service route?

mr.linus — Fri, 31 May 2013 09:24:52 GMT

I have asked Palo Alto directly to confirm this, since I was not able to really pin point the ocsp traffic in my packet captures.

I am still waiting for a definitive answer on this.

In the mean time, I have another related question/observation:

Is there any way of checking if OCSP stapling was used? Is there a way of testing if a certain website is using this?

Linus

Re: OCSP service route?

mr.linus — Fri, 31 May 2013 09:49:04 GMT

To answer part of my own question.

Apparently you can use openssl to test this:

"openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status"

Linus

Re: OCSP service route?

mr.linus — Tue, 04 Jun 2013 14:51:22 GMT

Still waiting for an official Palo Alto reply, but I think I found my answer in the admin guide

Service Route Configuration (Continued)

For example, if you want to route Kerberos authentication requests on an interface other than the MGT port, you need to configure the Destination and Source Address in the right section of the Service Route Configuration window since Kerberos is not listed in the default Service column.

For all services that are not selectable on the left side, you have to configure a route on the right. So i guess this will be the same for OCSP...

Ex.

Destination: IP of your internal kerberos server

Source Address: IP of your internal interface

But this setup has some limitations:

Since you can not choose a service or application, this route is for all traffic! And it will overrule all settings set on the left.

Ex.

Service: DNS

Source Address: MGT

+ primary DNS is set to same IP as you kerberos server

=> DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source...

Re: OCSP service route?

mr.linus — Thu, 06 Jun 2013 07:21:06 GMT

Hey Dyoung,

Seems you were right after all:

Official reply from PA:

The service route in question is the CRL one. That will apply for both.

Since we are having some issues with OCSP I am not able to confirm this from our lab setup, but I guess it is correct.

Re: OCSP service route?

gafrol — Fri, 07 Jun 2013 16:32:55 GMT

Testing the PAN OCSP responder with "openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status" (PA-200 5.0.4)

root@backup:~# openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status

CONNECTED(00000003)

OCSP response: no response sent

I was expecting to see something like

OCSP response:

======================================

OCSP Response Data:

OCSP Response Status: successful (0x0)

Response Type: Basic OCSP Response

Version: 1 (0x0)

Re: OCSP service route?

mr.linus — Tue, 18 Jun 2013 12:11:49 GMT

dear gafrol,

the openssl command given is to test ocsp stapling. apparently PA does not support OCSP stapling. Find here their official anszer to this question:

Regarding you oscp stapling question, per the PM: We do not support ocsp stapling which just takes an oscp response and folds it into the tls handshake.

that is why you got that result...

linus

Re: OCSP service route?

gafrol — Tue, 18 Jun 2013 16:54:14 GMT

Ahh OK thanks, good to know !