https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/394150#M91082 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59122">@Sec101</a>&nbsp;</P><P>&nbsp;</P><P>As I had the same question I did some investigation <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>You need to:</P><P>- Enable OCSP checking in Device &gt; Session =&gt; Decryption Settings</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_1-1616744655859.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30582i693759DCD4355DA9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_1-1616744655859.png" alt="tomdevos-D09_1-1616744655859.png" /></span></P><P>&nbsp;</P><P>- Create an HTTP OCSP Service Management Profile under Network Profiles &gt; Interface Management</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_0-1616744614718.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30581iAFCD5BC201B989C1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_0-1616744614718.png" alt="tomdevos-D09_0-1616744614718.png" /></span></P><P>- Create An OCSP Responder under Device &gt; Certificate Management &gt; OCSP Responder</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_2-1616744790792.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30583i1A972D3D2EAF5D33/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_2-1616744790792.png" alt="tomdevos-D09_2-1616744790792.png" /></span></P><P>&nbsp;</P><P>- Create Client Certificates with this Responder as OCSP Responder</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_3-1616744923074.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30584i26C5DE776C68F239/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_3-1616744923074.png" alt="tomdevos-D09_3-1616744923074.png" /></span></P><P>- make sure OCSP checking is enabled on the Certificate profile used for GP</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_4-1616745066050.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30585iA4BDD08CE9C74F43/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_4-1616745066050.png" alt="tomdevos-D09_4-1616745066050.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_5-1616745129080.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30586i5BF813487F65A1C1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_5-1616745129080.png" alt="tomdevos-D09_5-1616745129080.png" /></span></P><P>&nbsp;</P><P>Next to that:&nbsp;</P><P>Pay attention that if you revoke the certificate in the Certificate store it isn't automatically and immediatly revoked for the GP service as OCSP is cached on the FW:&nbsp;</P><P>To immediatly have affect you need to execute the following commands in CLI&nbsp;</P><UL><LI><SPAN>debug sslmgr delete ocsp all (or instead of all tab comlete with your OCSP URL</SPAN></LI><LI><P><SPAN>debug dataplane reset ssl-decrypt certificate-status</SPAN></P></LI></UL><P>Now the certificate will be revoked and if the client tries to (re)connect it will get that message.</P> Fri, 26 Mar 2021 07:58:43 GMT tomdevos-D09 2021-03-26T07:58:43Z https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/317573#M81632 <P>It appears possible to configure the firewall to be an OCSP responder to itself/clients from the posts below? Is that correct? (Specifically referring to self-signed certificates generated on the firewall)&nbsp; &nbsp;If so, is there any risk to having this service run on an external interface, in order to control/revoke machine certificates?&nbsp; If the need arises for a certificate revocation, is the firewall responding to itself and not letting the client connect to the portal/gateway, or is the client ultimately making that decision?</P><P>&nbsp;</P><P>I'm finding the GP agent will still connect to the Gateway even if I have revoked a generic machine certificate used in the profile for the Gateway.&nbsp; The CA certificate is still good, but If I revoke the machine certificate, and it shows revoked in the firewall, the client can still connect.&nbsp; &nbsp;</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClteCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClteCAC</A></P> Fri, 20 Mar 2020 13:59:13 GMT https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/317573#M81632 Sec101 2020-03-20T13:59:13Z https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/393843#M91052 <P>Same question here. How to get GP to check for revoked certs if there is no CRL or OCSP because it's self signed by the PA</P> Thu, 25 Mar 2021 13:27:39 GMT https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/393843#M91052 tomdevos-D09 2021-03-25T13:27:39Z https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/394150#M91082 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59122">@Sec101</a>&nbsp;</P><P>&nbsp;</P><P>As I had the same question I did some investigation <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>You need to:</P><P>- Enable OCSP checking in Device &gt; Session =&gt; Decryption Settings</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_1-1616744655859.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30582i693759DCD4355DA9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_1-1616744655859.png" alt="tomdevos-D09_1-1616744655859.png" /></span></P><P>&nbsp;</P><P>- Create an HTTP OCSP Service Management Profile under Network Profiles &gt; Interface Management</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_0-1616744614718.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30581iAFCD5BC201B989C1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_0-1616744614718.png" alt="tomdevos-D09_0-1616744614718.png" /></span></P><P>- Create An OCSP Responder under Device &gt; Certificate Management &gt; OCSP Responder</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_2-1616744790792.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30583i1A972D3D2EAF5D33/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_2-1616744790792.png" alt="tomdevos-D09_2-1616744790792.png" /></span></P><P>&nbsp;</P><P>- Create Client Certificates with this Responder as OCSP Responder</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_3-1616744923074.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30584i26C5DE776C68F239/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_3-1616744923074.png" alt="tomdevos-D09_3-1616744923074.png" /></span></P><P>- make sure OCSP checking is enabled on the Certificate profile used for GP</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_4-1616745066050.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30585iA4BDD08CE9C74F43/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_4-1616745066050.png" alt="tomdevos-D09_4-1616745066050.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tomdevos-D09_5-1616745129080.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30586i5BF813487F65A1C1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="tomdevos-D09_5-1616745129080.png" alt="tomdevos-D09_5-1616745129080.png" /></span></P><P>&nbsp;</P><P>Next to that:&nbsp;</P><P>Pay attention that if you revoke the certificate in the Certificate store it isn't automatically and immediatly revoked for the GP service as OCSP is cached on the FW:&nbsp;</P><P>To immediatly have affect you need to execute the following commands in CLI&nbsp;</P><UL><LI><SPAN>debug sslmgr delete ocsp all (or instead of all tab comlete with your OCSP URL</SPAN></LI><LI><P><SPAN>debug dataplane reset ssl-decrypt certificate-status</SPAN></P></LI></UL><P>Now the certificate will be revoked and if the client tries to (re)connect it will get that message.</P> Fri, 26 Mar 2021 07:58:43 GMT https://live.paloaltonetworks.com/t5/general-topics/revoked-machine-certificate-still-able-to-connect-global-protect/m-p/394150#M91082 tomdevos-D09 2021-03-26T07:58:43Z