06-29-2026 07:56 AM
Hi everyone,
present, i have VPN global protec
Authentication two factor with certificate and radius, by interface management
The current setup is as follows:
Because certificate validation relies on the management IP, a failover to the HA peer causes certificate validation to fail. In addition, having only a single management link creates a potential single point of failure.
To improve resiliency, I would like to use either a data-plane IP address or a loopback IP address as the OCSP responder, and configure the OCSP Override URL to point to that loopback or data-plane IP instead.
However, I’ve tried several configurations without success.
Could you please help me understand how to achieve this?
with 1000user i dont want create new all
06-29-2026 06:18 PM
Hi @HAINVH ,
What have you tried so far?
You should be able to host OCSP on an alternate interface instead of tying it to the management IP.
A few things I would be mindful of:
06-29-2026 08:51 PM
I have already created an Interface Management Profile with HTTP and OCSP enabled and applied it to the loopback interface, but it still doesn't work.
I have another question. When the Palo Alto device acts as both the gateway and the OCSP responder, do I need to configure any additional routing or security policies for this to work?
Or are you referring to configuring a Service Route instead?
06-30-2026 06:41 AM
Hi @HAINVH ,
Gotcha, thanks for the info.
You’ll want to make sure DNS, routing, and security policy are in place so your GlobalProtect clients can resolve and reach the OCSP URL on the loopback address to check certificate status.
The flow should look something like this:
GP client resolves the OCSP hostname to the loopback IP → traffic comes from the GP zone → traffic is allowed to the OCSP/Loopback zone
For example:
GP Users → GP Zone → OCSP/Loopback Zone
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
