04-04-2022 09:49 AM
04-05-2022 11:22 AM
Please provide additional detail/context. Thank you.
04-05-2022 11:31 AM
Hi Steve,
We like to block as much as outbound traffic. we noted that most of windows servers are reaching to Internet to validate the certificate and digital signature. my question is that At PAN level, is there any way to identify such traffic and block or allow it.
04-05-2022 12:53 PM
It you are able to take a wireshark trace and capture the data that is transmitted by the servers, it is possible for customers to create a custom application that will parse your traffic and if you deny the traffic, then yes, it can be done... It is all up to you, as the end customer, to put the work into determining what that traffic signature would look like.
Share with us what you find out, as you are probably not the only one who would want to do this.
BTW, does the traffic show up in the Traffic Logs as ssl on port 443, or some other way to identify it. You seemed to know exactly what you are looking for, so I am curious did you do previous packet captures in the past. I have not seen anyone get to this level of granularity, as cert validation is very important, as someone could attempt to spoof a trusted root CA.
Have you attempted to contact MS to see if they have any mechanism in place to reduce the amount of "check-in" traffic that their OS is configured to use? May be another way to do it.
04-05-2022 01:10 PM
Maybe I'm missing something, but all of this should just be straightforward OCSP traffic that happens over tcp/80. The firewall should be identifying all of that traffic properly, so you should be able to just allow OCSP traffic under application-default and that would allow for revocation checks to complete without issue.
04-06-2022 05:50 PM
Hi SteveCantwell and Bpry,
I performed the below test but no conclusion yet. At server , I initiated traffic using IE ( proxy disabled status) to https://www.verizon.com ( example) , I checked the Firewall log i do not see any traffic related to OCSP. In fact i saw the below info the Verizon cert, But I do not see any traffic to *.digicert.com @ PAN.
My goal is to only allow X.509 related traffic from trust to Untrust, the problem is unable to identify these traffic in PAN. can you share your suggestion
| [1]CRL Distribution Point |
| Distribution Point Name: |
| Full Name: |
| URL=http://crl3.digicert.com/sha2-ev-server-g3.crl |
| [2]CRL Distribution Point |
| Distribution Point Name: |
| Full Name: |
| URL=http://crl4.digicert.com/sha2-ev-server-g3.crl |
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
