About tomdevos-D09

@Sec101    As I had the same question I did some investigation 🙂 You need to: - Enable OCSP checking in Device > Session => Decryption Settings   - Create an HTTP OCSP Service Management Profile under Network Profiles > Interface Management   - Create An OCSP Responder under Device > Certificate Management > OCSP Responder   - Create Client Certificates with this Responder as OCSP Responder - make sure OCSP checking is enabled on the Certificate profile used for GP   Next to that:  Pay attention that if you revoke the certificate in the Certificate store it isn't automatically and immediatly revoked for the GP service as OCSP is cached on the FW:  To immediatly have affect you need to execute the following commands in CLI  debug sslmgr delete ocsp all (or instead of all tab comlete with your OCSP URL debug dataplane reset ssl-decrypt certificate-status Now the certificate will be revoked and if the client tries to (re)connect it will get that message. ... View more

Same question here. How to get GP to check for revoked certs if there is no CRL or OCSP because it's self signed by the PA ... View more