Hello experts, We are trying to authenticate users connecting to GP via client certs, idea is to revoke client certs and thus prevent users from connecting to GP. Test user is still able to connect after certification has been revoked. Due to some reasons, OCSP has been disabled on the gateway, CRL does not contain revocation status, only delta CRL does, which is not supported by PAN-OS ref (tac case 01728222 ). In PANGPS following logs are seen: (T532)Info (5289): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 verification result is 0x4 (T532)Info (5292): 02/05/21 15:23:47:711 cert 000001E403ACF4B0 failed revocation verificaiton (T532)Debug(5309): 02/05/21 15:23:47:711 Check certificate revocation returns FALSE Questions here are: 1> Does the above logs indicate that the GP agent has detected that the cert is expired or that the revocation check has failed. 2> Will the GP agent do a client cert validation prior to allowing the user to connect. or not. Thanks in advance!
... View more