Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

GlobalProtect OCSP validation not working

L1 Bithead



OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work.


My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status :


debug sslmgr view ocsp all

Current time is: Thu Feb 2 10:21:28 2017

Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 44000001565A923152F9A9E91A000000000156 unavailable Feb 02 08:20:44 2017 GMT


Here is the error in the sslmgr.log :


2017-02-02 11:42:30.124 +0100 Warning: pan_ocsp_query_responder(pan_crl.c:2039): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_parse_response(pan_crl.c:1460): [OCSP] The result of Certificate status query is unavailable for serial number[440000056D26FE31762285F22F00000000056D] and uri[]
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2287): pan_ocsp_parse_response() failed


Yes, I've activated the NONCE support on my Microsoft OCSP Responder as mentionned here :


I've done a capture on the firewall and I see the packets OCSP Request and OCSP Response but Palo Alto






Idea anyone ?

Who Me Too'd this topic