cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

GlobalProtect OCSP validation not working

L1 Bithead

Hi,

 

OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work.

 

My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status :

 

debug sslmgr view ocsp all

Current time is: Thu Feb 2 10:21:28 2017

Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 44000001565A923152F9A9E91A000000000156 unavailable Feb 02 08:20:44 2017 GMT

 

Here is the error in the sslmgr.log :

 

2017-02-02 11:42:30.124 +0100 Warning: pan_ocsp_query_responder(pan_crl.c:2039): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_parse_response(pan_crl.c:1460): [OCSP] The result of Certificate status query is unavailable for serial number[440000056D26FE31762285F22F00000000056D] and uri[http://ocsp.dummy.com/ocsp]
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2287): pan_ocsp_parse_response() failed

 

Yes, I've activated the NONCE support on my Microsoft OCSP Responder as mentionned here :

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/OCSP-Validation-of-Client-Certificate-No...

 

I've done a capture on the firewall and I see the packets OCSP Request and OCSP Response but Palo Alto

 

ocsp-request.png

 

ocsp-response.png

 

Idea anyone ?

Who Me Too'd this topic