04-12-2021 09:03 AM
We are trying to authenticate users connecting to GP via client certs, idea is to revoke client certs and thus prevent users from connecting to GP. Test user is still able to connect after certification has been revoked. Due to some reasons, OCSP has been disabled on the gateway, CRL does not contain revocation status, only delta CRL does, which is not supported by PAN-OS ref (tac case 01728222).
In PANGPS following logs are seen:
(T532)Info (5289): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 verification result is 0x4
(T532)Info (5292): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 failed revocation verificaiton
(T532)Debug(5309): 02/05/21 15:23:47:711 Check certificate revocation returns FALSE
Questions here are:
1> Does the above logs indicate that the GP agent has detected that the cert is expired or that the revocation check has failed.
2> Will the GP agent do a client cert validation prior to allowing the user to connect. or not.
Thanks in advance!
04-12-2021 11:09 AM - edited 04-12-2021 11:10 AM
Are you utilizing cookies as well and if so what are they set too? It could it be possible that you are using a 24 hour cookie and its using this to authenticate the client (but I'm not 100% sure of this). If you do a manual "Refresh Connections" does it fail to connect after?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!