10-18-2022 11:30 AM
I've set up one of our PAs (a 5260 running 10.1.6-h3) to use as a certificate authority and OCSP responder for use with GlobalProtect remote access. I'm able to issue and verify certificates with no problem, but revoking a client certificate has no effect on whether the able to connect. I'm able to browse to http://<PA IP>/CA/ocsp, but the browser downloads a 0kb file and the device doesn't appear to be updating this revocation information. Do I need to do something else to have the firewall validate this cert?
Does the firewall generate the OCSP request from its own management interface, or the interface it's doing the GlobalProtect auth on? I have the service listener set up on the Management interface but that wouldn't be accessible from the outside if that's the case.
10-21-2022 08:35 AM
I believe it uses whatever interface you define in the OCSP responder section. Is that where you've defined the management interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
