Question: What service route does the PA take for his OCSP requests?
Since we can not choose anything under the service routes, I suppose it will use the management as default...
Is there any way to change this to some other interface?
I have asked Palo Alto directly to confirm this, since I was not able to really pin point the ocsp traffic in my packet captures.
I am still waiting for a definitive answer on this.
In the mean time, I have another related question/observation:
Is there any way of checking if OCSP stapling was used? Is there a way of testing if a certain website is using this?
Still waiting for an official Palo Alto reply, but I think I found my answer in the admin guide
Service Route Configuration (Continued)
For example, if you want to route Kerberos authentication requests on an interface other than the MGT port, you need to configure the Destination and Source Address in the right section of the Service Route Configuration window since Kerberos is not listed in the default Service column.
For all services that are not selectable on the left side, you have to configure a route on the right. So i guess this will be the same for OCSP...
Destination: IP of your internal kerberos server
Source Address: IP of your internal interface
But this setup has some limitations:
Since you can not choose a service or application, this route is for all traffic! And it will overrule all settings set on the left.
Source Address: MGT
+ primary DNS is set to same IP as you kerberos server
=> DNS traffic wil NOT use the MGT interface, but hit on the right side route rules and use you internal interface as source...
Testing the PAN OCSP responder with "openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status" (PA-200 5.0.4)
root@backup:~# openssl s_client -connect ocsp.company.com:443 -tls1 -tlsextdebug -status
OCSP response: no response sent
I was expecting to see something like
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
the openssl command given is to test ocsp stapling. apparently PA does not support OCSP stapling. Find here their official anszer to this question:
Regarding you oscp stapling question, per the PM: We do not support ocsp stapling which just takes an oscp response and folds it into the tls handshake.
that is why you got that result...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!