OCSP service route?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

OCSP service route?

L4 Transporter

Question: What service route does the PA take for his OCSP requests?

Since we can not choose anything under the service routes, I suppose it will use the management as default...

Is there any way to change this to some other interface?

Linus

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Linus,

The CRL-status service route may be worth a try if you have not done so already?

Regards,

Dave

View solution in original post

8 REPLIES 8

L4 Transporter

Hi Linus,

The CRL-status service route may be worth a try if you have not done so already?

Regards,

Dave

I have asked Palo Alto directly to confirm this, since I was not able to really pin point the ocsp traffic in my packet captures.

I am still waiting for a definitive answer on this.

In the mean time, I have another related question/observation:

Is there any way of checking if OCSP stapling was used? Is there a way of testing if a certain website is using this?

Linus

To answer part of my own question.

Apparently you can use openssl to test this:

"openssl s_client -connect login.live.com:443 -tls1  -tlsextdebug  -status"

Linus

Still waiting for an official Palo Alto reply, but I think I found my answer in the admin guide

Service Route Configuration (Continued)

For example, if you want to route Kerberos authentication requests on an interface other than the MGT port, you need to configure the Destination and Source Address in the right section of the Service Route Configuration window since Kerberos is not listed in the default Service column.

For all services that are not selectable on the left side, you have to configure a route on the right. So i guess this will be the same for OCSP...

Ex.

Destination: IP of your internal kerberos server

Source Address: IP of your internal interface

But this setup has some limitations:

Since you can not choose a service or application, this route is for all traffic! And it will overrule all settings set on the left.

Ex.

Service: DNS

Source Address: MGT

+ primary DNS is set to same IP as you kerberos server

=> DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source...

Hey Dyoung,

Seems you were right after all:

Official reply from PA:

The service route in question is the CRL one. That will apply for both.

Since we are having some issues with OCSP I am not able to confirm this from our lab setup, but I guess it is correct.

Testing the PAN OCSP responder with "openssl s_client -connect ocsp.company.com:443 -tls1  -tlsextdebug  -status"  (PA-200 5.0.4)

root@backup:~# openssl s_client -connect ocsp.company.com:443 -tls1  -tlsextdebug  -status

CONNECTED(00000003)

OCSP response: no response sent

I was expecting to see something like

OCSP response:

======================================

OCSP Response Data:

    OCSP Response Status: successful (0x0)

    Response Type: Basic OCSP Response

    Version: 1 (0x0)

dear gafrol,

the openssl command given is to test ocsp stapling. apparently PA does not support OCSP stapling. Find here their official anszer to this question:

Regarding you oscp stapling question, per the PM: We do not support ocsp stapling which just takes an oscp response and folds it into the tls handshake.

that is why you got that result...

linus

Ahh OK thanks, good to know !

  • 1 accepted solution
  • 5361 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!