It appears possible to configure the firewall to be an OCSP responder to itself/clients from the posts below? Is that correct? (Specifically referring to self-signed certificates generated on the firewall) If so, is there any risk to having this service run on an external interface, in order to control/revoke machine certificates? If the need arises for a certificate revocation, is the firewall responding to itself and not letting the client connect to the portal/gateway, or is the client ultimately making that decision? I'm finding the GP agent will still connect to the Gateway even if I have revoked a generic machine certificate used in the profile for the Gateway. The CA certificate is still good, but If I revoke the machine certificate, and it shows revoked in the firewall, the client can still connect. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIzCAK https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClteCAC
... View more