Im getting tons of failed to get CRL errors in my logs all of the sudden. Im not sure what I did (if anything) to cause this.
Ive tried to fix it,
I cannot fix this.
Any sugestions on how to fix this?
What is this even for? I was not aware that the firewall was downloading any CRLs, could it be part of SSL Decrypt? THe admin prior to me tries to get SSL Decrypt working but eh 4xxx serise do not support it (its broken/buggy)
Any help appreciated, thanks.
Need to ensure the Palo Alto can resolve these addresses as well as ensure that outbound connections from the device via the service route (management interface default) are allowed. If this does not resolve your issue please open a support ticket.
Here's another approach. If it began to happen after you made some config changes and if you're not sure what was changed, maybe you can look at config log (Monitor => Logs => Configuration) to see if there's any corresponding change.
we had the same issue. You have to create a new firewall policy allowing the MGT interface of the PA to download the CRLs.
Take a look how we solved it:
With a custom URL category we allowing the crl sites:
So you have check the system logs and enter each URL in the custom URL category.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!