Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?

nikoolayy1 — Fri, 21 May 2021 07:39:58 GMT

Hello to All,

We have intermitant issues with the HIP report not being send every hour but I also see that there are some intermitant errors about the gateway certificate not being verified, I also see that there are messages in the PanGPS log "Check server certificate revocation returns" as also the portal and gateway certificates are publicly signed by the DigiCert CA. What I think we have other security systems maybe something is blocking the CRL from time to time and because of this the SSL cert of the gateway is not trusted and the HIP report fails if 3 HIP reports fail to be send by the globalprotect app (as the timeout is 3 hours and every hour a HIP report is send) and because of this sometimes we hit the Inactivity Logout (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxFCAS).

Does this mean that the globalprotect agent uses CRL before trying to send the HIP report to the gateway if the gateway certficate is from a public CA and the certficate has a CRL distribution point SSL extention?

Also some of the gateways share a certficate with the same CA but if this was the issue maybe then the issue was not going to be intermitant, so for now I focus on the CRL as the certficate has SAN with each gateway FQDN but we may also check if it is a bug with the globalprotect app not liking the SSL SAN names from time to time.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

Re: Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?

nikoolayy1 — Wed, 09 Jun 2021 12:55:15 GMT

After doing a tcpdump and not seeing any CRL requests to the distribution points I don't think this is the issue and after upgrading the portals, gateways and the app the issue seems to have been gone.

Now with 9.1 we can monitor the latency if this is causing the timeout

https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-released-in-gp-app/globalprotect-gateway-latency-reporting.html

Or with Globalprotect agent app 5.2 we can set the MTU from the portal "Configurable Maximum Transmission Unit for GlobalProtect Connections":

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/gp-app-release-information/features-introduced-in-gp-app.html#id1787E80K0UF

Also because of certificate change we seemed to have issues on some gateways but maybe because we were older version the Globalprotect app did not drop the VPN to those gateways (I have read for such a bug with older versions) with missing root CA but the option "Install in Local Root Certificate store" helped as it was suggested by a colleague of mine.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMyG

topic Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates? in General Topics

Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?

Re: Does Globalprotect application use certificate revocation list (CRL) to check the gateway certficates?