Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Default Action for Revoked Certificates via OCSP and CRL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Default Action for Revoked Certificates via OCSP and CRL

L3 Networker

Hi All,

When you enable OCSP and CRL revocation checking on the firewall, if a certificate is revoked the default behavior is to block the connection.  Is there any way to change that behavior so that maybe the revoked log is written in the system log, but still allow the browser to connect through.  I was hoping it would be as simple as allowing connections with timeout or status unknown, but doesn't appear to be the case.  We're trying to get an idea of impact on our environment before we just outright block these connections.

 

Thanks in advance!

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @dan731028 

 

Unfortunately this is not possible to enable this in log-mode. But enabling this option does in all cases have a really low impact. Much more commonthan revoked certs are self signed certificates. This applies to the CRL option.

Enabling the OCSP option will almost for sure have a medium to high impact. This impact ist not because of blocked websites because of revoked certs, this impact will be about the performance when accessing normal websites. Thisnis because the firewall pretty often has to check the ocsp servers if the cert is still valid. This could dramatically increase page load times. Probably this depends on the hardware you are using. On a PA-3200 or 5200 series firewall it may be worth a try but do not enable the option an the 5000 and 3000 or lower series - this is my personal recommendation based on my experience and nothing official from PaloAlto.

 

Regards,

Remo

 

View solution in original post

2 REPLIES 2

L7 Applicator

Hi @dan731028 

 

Unfortunately this is not possible to enable this in log-mode. But enabling this option does in all cases have a really low impact. Much more commonthan revoked certs are self signed certificates. This applies to the CRL option.

Enabling the OCSP option will almost for sure have a medium to high impact. This impact ist not because of blocked websites because of revoked certs, this impact will be about the performance when accessing normal websites. Thisnis because the firewall pretty often has to check the ocsp servers if the cert is still valid. This could dramatically increase page load times. Probably this depends on the hardware you are using. On a PA-3200 or 5200 series firewall it may be worth a try but do not enable the option an the 5000 and 3000 or lower series - this is my personal recommendation based on my experience and nothing official from PaloAlto.

 

Regards,

Remo

 

Thanks Remo.  This is what I thought.  Thanks for the verification.

  • 1 accepted solution
  • 3695 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!