How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

L4 Transporter

Hello team,

 

I need to know How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

 

I have revoked a certificate into the Firewall but I can connect anyway from VPN.... I am using on my GlobalProtect connection and the connections are working fine, I need to cut this connection when the certificate is revoked, can anyone help me?

 

Regards

1 REPLY 1

Hi @Alpalo ,

The certificate are form of authentication. Which means they are used when user is initiating a connection to the firewall.

Revoking certificate does not affect currently established connection, the  same way  as disabling user account would disconnect the user if he has connected with username and password.

 

You need to manually disconnect the GP client from the gateway - if there is currently established session.

 

To prevent the user from connecting again you need to enable CRL or OCSP check in Ceritificate Profile that you assign for your GP Portal/Gateway. Look  at section 8.Certificate Profile, step 7 on the following link - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

 

7. (optional) Check CRL or OCSP if the portal/gateway needs to verify the client/machine cert's revocation status using CRL or OCSP. Please use this with caution as it can result in clients failing to connect if used in conjunction with 'Block session if certificate status is unknown'.

 

Note that above is assuming you are  using internal PKI, to which firewall has access from its dedicated mgmt interface.

If you are using self-signed  CA that is generated by the firewall you will need to enable OCSP reponder as described here - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK

  • 642 Views
  • 1 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!