05-29-2013 04:47 AM
Question: What service route does the PA take for his OCSP requests?
Since we can not choose anything under the service routes, I suppose it will use the management as default...
Is there any way to change this to some other interface?
Linus
05-29-2013 05:31 AM
Hi Linus,
The CRL-status service route may be worth a try if you have not done so already?
Regards,
Dave
05-29-2013 05:31 AM
Hi Linus,
The CRL-status service route may be worth a try if you have not done so already?
Regards,
Dave
05-31-2013 02:24 AM
I have asked Palo Alto directly to confirm this, since I was not able to really pin point the ocsp traffic in my packet captures.
I am still waiting for a definitive answer on this.
In the mean time, I have another related question/observation:
Is there any way of checking if OCSP stapling was used? Is there a way of testing if a certain website is using this?
Linus
05-31-2013 02:49 AM
To answer part of my own question.
Apparently you can use openssl to test this:
"openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status"
Linus
06-04-2013 07:51 AM
Still waiting for an official Palo Alto reply, but I think I found my answer in the admin guide
Service Route Configuration (Continued)
For example, if you want to route Kerberos authentication requests on an interface other than the MGT port, you need to configure the Destination and Source Address in the right section of the Service Route Configuration window since Kerberos is not listed in the default Service column.
For all services that are not selectable on the left side, you have to configure a route on the right. So i guess this will be the same for OCSP...
Ex.
Destination: IP of your internal kerberos server
Source Address: IP of your internal interface
But this setup has some limitations:
Since you can not choose a service or application, this route is for all traffic! And it will overrule all settings set on the left.
Ex.
Service: DNS
Source Address: MGT
+ primary DNS is set to same IP as you kerberos server
=> DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source...
06-06-2013 12:21 AM
Hey Dyoung,
Seems you were right after all:
Official reply from PA:
The service route in question is the CRL one. That will apply for both.
Since we are having some issues with OCSP I am not able to confirm this from our lab setup, but I guess it is correct.
06-07-2013 09:32 AM
Testing the PAN OCSP responder with "openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status" (PA-200 5.0.4)
root@backup:~# openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status
CONNECTED(00000003)
OCSP response: no response sent
I was expecting to see something like
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
06-18-2013 05:11 AM
dear gafrol,
the openssl command given is to test ocsp stapling. apparently PA does not support OCSP stapling. Find here their official anszer to this question:
Regarding you oscp stapling question, per the PM: We do not support ocsp stapling which just takes an oscp response and folds it into the tls handshake.
that is why you got that result...
linus
06-18-2013 09:54 AM
Ahh OK thanks, good to know !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
