This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

Alpalo
L4 Transporter

‎09-14-2023 01:04 AM

Hello team,

 

I need to know How to configure VPN and Certificates to cut VPN access when the Certificate is revoked.

 

I have revoked a certificate into the Firewall but I can connect anyway from VPN.... I am using on my GlobalProtect connection and the connections are working fine, I need to cut this connection when the certificate is revoked, can anyone help me?

 

Regards

0 Likes Likes
1 REPLY 1

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎09-14-2023 01:39 AM

Hi @Alpalo ,

The certificate are form of authentication. Which means they are used when user is initiating a connection to the firewall.

Revoking certificate does not affect currently established connection, the  same way  as disabling user account would disconnect the user if he has connected with username and password.

 

You need to manually disconnect the GP client from the gateway - if there is currently established session.

 

To prevent the user from connecting again you need to enable CRL or OCSP check in Ceritificate Profile that you assign for your GP Portal/Gateway. Look  at section 8.Certificate Profile, step 7 on the following link - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

 

7. (optional) Check CRL or OCSP if the portal/gateway needs to verify the client/machine cert's revocation status using CRL or OCSP. Please use this with caution as it can result in clients failing to connect if used in conjunction with 'Block session if certificate status is unknown'.

 

Note that above is assuming you are  using internal PKI, to which firewall has access from its dedicated mgmt interface.

If you are using self-signed  CA that is generated by the firewall you will need to enable OCSP reponder as described here - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK

0 Likes Likes
  • 570 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks