This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About tomdevos-D09
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About tomdevos-D09
08-08-2022
3Posts
0Likes
0Solutions
Aug 08, 2022Last Visited
User
Activity
User
Profile
Latest posts by tomdevos-D09
| Subject | Views | Posted |
|---|---|---|
| 530 | 10-15-2021 04:25 AM | |
| 1459 | 03-26-2021 12:58 AM | |
| 1488 | 03-25-2021 06:27 AM |
User Badges
Community Statistics
| Member Since | 03-16-2021 12:38 AM |
| Date Last Visited | 08-08-2022 08:22 AM |
| Posts | 3 |
10-15-2021
04:25 AM
Hi, Is there and if so what is the difference on processing speed of a PA rulebase when most hit rules are on top vs when most hit rules are spread throughout the rule base? For example: Imagine a rulebase of 15000 rules. What would be the processing speed difference if a certain rule is hit 10000 times a day if it's on top (say 1th rule in the rulebase) or when it is the last rule in the rulebase.
... View more
03-26-2021
12:58 AM
@Sec101 As I had the same question I did some investigation 🙂 You need to: - Enable OCSP checking in Device > Session => Decryption Settings - Create an HTTP OCSP Service Management Profile under Network Profiles > Interface Management - Create An OCSP Responder under Device > Certificate Management > OCSP Responder - Create Client Certificates with this Responder as OCSP Responder - make sure OCSP checking is enabled on the Certificate profile used for GP Next to that: Pay attention that if you revoke the certificate in the Certificate store it isn't automatically and immediatly revoked for the GP service as OCSP is cached on the FW: To immediatly have affect you need to execute the following commands in CLI debug sslmgr delete ocsp all (or instead of all tab comlete with your OCSP URL debug dataplane reset ssl-decrypt certificate-status Now the certificate will be revoked and if the client tries to (re)connect it will get that message.
... View more
03-25-2021
06:27 AM
Same question here. How to get GP to check for revoked certs if there is no CRL or OCSP because it's self signed by the PA
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-08-2022
08:22 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks