topic Re: Default Action for Revoked Certificates via OCSP and CRL in General Topics

Default Action for Revoked Certificates via OCSP and CRL

dan731028 — Thu, 13 Jun 2019 16:35:02 GMT

Hi All,

When you enable OCSP and CRL revocation checking on the firewall, if a certificate is revoked the default behavior is to block the connection. Is there any way to change that behavior so that maybe the revoked log is written in the system log, but still allow the browser to connect through. I was hoping it would be as simple as allowing connections with timeout or status unknown, but doesn't appear to be the case. We're trying to get an idea of impact on our environment before we just outright block these connections.

Thanks in advance!

Re: Default Action for Revoked Certificates via OCSP and CRL

Remo — Sat, 15 Jun 2019 21:08:57 GMT

Hi @dan731028

Unfortunately this is not possible to enable this in log-mode. But enabling this option does in all cases have a really low impact. Much more commonthan revoked certs are self signed certificates. This applies to the CRL option.

Enabling the OCSP option will almost for sure have a medium to high impact. This impact ist not because of blocked websites because of revoked certs, this impact will be about the performance when accessing normal websites. Thisnis because the firewall pretty often has to check the ocsp servers if the cert is still valid. This could dramatically increase page load times. Probably this depends on the hardware you are using. On a PA-3200 or 5200 series firewall it may be worth a try but do not enable the option an the 5000 and 3000 or lower series - this is my personal recommendation based on my experience and nothing official from PaloAlto.

Regards,

Remo

Re: Default Action for Revoked Certificates via OCSP and CRL

dan731028 — Tue, 18 Jun 2019 16:15:55 GMT

Thanks Remo. This is what I thought. Thanks for the verification.