This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Override url ocsp and responder ocsp global protect VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Override url ocsp and responder ocsp global protect VPN

HAINVH
L1 Bithead

‎06-29-2026 07:56 AM

Hi everyone,

present, i have VPN global protec

Authentication two factor with certificate and radius, by interface management 

The current setup is as follows:

  • The Palo Alto firewall acts as both the gateway and the OCSP responder.
  • The OCSP responder is configured to use the management IP address, and the OCSP Override URL also points to the management IP.

Because certificate validation relies on the management IP, a failover to the HA peer causes certificate validation to fail. In addition, having only a single management link creates a potential single point of failure.

To improve resiliency, I would like to use either a data-plane IP address or a loopback IP address as the OCSP responder, and configure the OCSP Override URL to point to that loopback or data-plane IP instead.

However, I’ve tried several configurations without success.

Could you please help me understand how to achieve this?

with 1000user i dont want create new all

0 Likes Likes
3 REPLIES 3

JayGolf
Community Team Member

‎06-29-2026 06:18 PM

Hi @HAINVH ,

 

 

What have you tried so far?

 

You should be able to host OCSP on an alternate interface instead of tying it to the management IP.

 

A few things I would be mindful of:

  • The interface should have an Interface Management Profile applied with HTTP OCSP enabled.
  • The OCSP responder hostname/IP should resolve to the data-plane or loopback interface.
  • Routing and security policy need to allow the OCSP traffic.

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

HAINVH
L1 Bithead
In response to JayGolf

‎06-29-2026 08:51 PM

HAINVH_0-1782791520338.png

I have already created an Interface Management Profile with HTTP and OCSP enabled and applied it to the loopback interface, but it still doesn't work.

I have another question. When the Palo Alto device acts as both the gateway and the OCSP responder, do I need to configure any additional routing or security policies for this to work?

Or are you referring to configuring a Service Route instead?

0 Likes Likes

JayGolf
Community Team Member

‎06-30-2026 06:41 AM

Hi @HAINVH ,

 

Gotcha, thanks for the info.

 

You’ll want to make sure DNS, routing, and security policy are in place so your GlobalProtect clients can resolve and reach the OCSP URL on the loopback address to check certificate status.

 

The flow should look something like this:

GP client resolves the OCSP hostname to the loopback IP → traffic comes from the GP zone → traffic is allowed to the OCSP/Loopback zone

 

For example:

GP Users → GP Zone → OCSP/Loopback Zone

 

 

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 136 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks