https://live.paloaltonetworks.com/t5/general-topics/ocsp-app-id-fail/m-p/189831#M57412 <P>Hello,</P><P>is anyone using ocsp as single app in a rule ? It's sometimes failing to match, seen as "web-browsing" although on very easy to recognize URLs such as ocsp.comodoca.com. Quite annoying when you debug a third-party software failing to setup because of this but only mentionning "cert chain failed".</P><P>App version 752-4343 on v8.0.5.</P><P>thanks !</P><P>&nbsp;</P> Mon, 04 Dec 2017 16:27:01 GMT prospectfr 2017-12-04T16:27:01Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-app-id-fail/m-p/189831#M57412 <P>Hello,</P><P>is anyone using ocsp as single app in a rule ? It's sometimes failing to match, seen as "web-browsing" although on very easy to recognize URLs such as ocsp.comodoca.com. Quite annoying when you debug a third-party software failing to setup because of this but only mentionning "cert chain failed".</P><P>App version 752-4343 on v8.0.5.</P><P>thanks !</P><P>&nbsp;</P> Mon, 04 Dec 2017 16:27:01 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-app-id-fail/m-p/189831#M57412 prospectfr 2017-12-04T16:27:01Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-app-id-fail/m-p/189899#M57415 <P>The domain name itself is not used for App-ID, as the domain doesn't necessarily dictate what is there. There could easily be non-OCSP content there despite the hostname.</P><P>&nbsp;</P><P>That said, if you have (or can get) a packet capture of the issue happening, open up a support ticket so it can be given to the appropriate folks who handle the App-ID information. I've never seen that issue, but admittadly I am not blocking web-browsing so either way it would work in my environment.</P> Mon, 04 Dec 2017 19:05:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-app-id-fail/m-p/189899#M57415 gwesson 2017-12-04T19:05:27Z