They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.
Also other CAs are concerned apparently.
The trusted certificate store on Palo Alto Networks devices is not currently configurable or viewable.
If you wish to see the features of the product modified to allow user configuration of the certificate store please talk to your sales team to submit a feature request on your behalf.
since restarting our firewall (running 3.1.10), we see, for example by surfing on https://balie.culemborg.nl/, a "drop-all-packets" in the threat log. But in fact, the firewall does not drop the traffic nor shows any error or warning in the decrypted certificate. So we have the bizarre situation having error hints in browsers without PA firewall (as all browsers have removed the diginotar CA), but no warnings in browsers which are secured by a PA firewall (because all browsers accepts the PA certificate, which is used to re-encrypt the SSL traffic).
Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?
up to now, we did not have configured anything in the CRL/OCSP tab. Since 5 minutes, we have enabled the checking of revocation lists via CRL and OCSP. Testing on https://22.214.171.124, the firewall blocks the ssl traffic (the browsers shows a timeout). Although it would be nicer not to drop but to bring out a security warning or an invalid certificate, this behaviour is tolerable for us. There are not so much diginotar certificates anymore ...
Thanks for your hint.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!