06-13-2019 09:35 AM
Hi All,
When you enable OCSP and CRL revocation checking on the firewall, if a certificate is revoked the default behavior is to block the connection. Is there any way to change that behavior so that maybe the revoked log is written in the system log, but still allow the browser to connect through. I was hoping it would be as simple as allowing connections with timeout or status unknown, but doesn't appear to be the case. We're trying to get an idea of impact on our environment before we just outright block these connections.
Thanks in advance!
06-15-2019 02:08 PM
Hi @dan731028
Unfortunately this is not possible to enable this in log-mode. But enabling this option does in all cases have a really low impact. Much more commonthan revoked certs are self signed certificates. This applies to the CRL option.
Enabling the OCSP option will almost for sure have a medium to high impact. This impact ist not because of blocked websites because of revoked certs, this impact will be about the performance when accessing normal websites. Thisnis because the firewall pretty often has to check the ocsp servers if the cert is still valid. This could dramatically increase page load times. Probably this depends on the hardware you are using. On a PA-3200 or 5200 series firewall it may be worth a try but do not enable the option an the 5000 and 3000 or lower series - this is my personal recommendation based on my experience and nothing official from PaloAlto.
Regards,
Remo
06-15-2019 02:08 PM
Hi @dan731028
Unfortunately this is not possible to enable this in log-mode. But enabling this option does in all cases have a really low impact. Much more commonthan revoked certs are self signed certificates. This applies to the CRL option.
Enabling the OCSP option will almost for sure have a medium to high impact. This impact ist not because of blocked websites because of revoked certs, this impact will be about the performance when accessing normal websites. Thisnis because the firewall pretty often has to check the ocsp servers if the cert is still valid. This could dramatically increase page load times. Probably this depends on the hardware you are using. On a PA-3200 or 5200 series firewall it may be worth a try but do not enable the option an the 5000 and 3000 or lower series - this is my personal recommendation based on my experience and nothing official from PaloAlto.
Regards,
Remo
06-18-2019 09:15 AM
Thanks Remo. This is what I thought. Thanks for the verification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
