- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2020 05:06 PM - edited 03-20-2020 06:59 AM
It appears possible to configure the firewall to be an OCSP responder to itself/clients from the posts below? Is that correct? (Specifically referring to self-signed certificates generated on the firewall) If so, is there any risk to having this service run on an external interface, in order to control/revoke machine certificates? If the need arises for a certificate revocation, is the firewall responding to itself and not letting the client connect to the portal/gateway, or is the client ultimately making that decision?
I'm finding the GP agent will still connect to the Gateway even if I have revoked a generic machine certificate used in the profile for the Gateway. The CA certificate is still good, but If I revoke the machine certificate, and it shows revoked in the firewall, the client can still connect.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClteCAC