- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-08-2011 04:50 AM
Hi Guys,
Hopeing you can answer a couple of questions I have regarding SSL certificates.
1) How does the Palo Alto device itself handle SSL when it is doing interception? Can you set that it would block traffic when for example, an online banking sites certificate has expired, force OCSP, etc.
2) How does the Palo Alto maintain its own list of CAs, can we remove CAs from the list
Hope this make sence
Marc
06-08-2011 06:54 PM
Pan handles encrypted traffic as the man in the middle, however we do not give you the option of blocking based on certificate expiration.
List of CA's is normally maintained by software release, CA,s cannot be removed from this list as far as I know.
06-08-2011 06:54 PM
Pan handles encrypted traffic as the man in the middle, however we do not give you the option of blocking based on certificate expiration.
List of CA's is normally maintained by software release, CA,s cannot be removed from this list as far as I know.
06-08-2011 10:31 PM
PAN provides you with the option to set OCSP, in the admin guide (Page 34, PANOS v4) it says you have the option to "Block Unknown Certificates"
What does this option actually do?
Would it not block traffic if the certificate had expired or was unknown ?
Marc
06-09-2011 05:57 PM
No this option does not take the expiration of the certificate as part of he decision making process, this would normally be caught by the client browser.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!