Focus

Enable an HTTP Proxy for OCSP Status Checks

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Enable an HTTP Proxy for OCSP Status Checks

Configure your web proxy to send and receive OCSP requests and status responses.

If your network deployment consists of a web proxy, you can configure Online Certificate Status Protocol (OCSP) to validate certificates. All OCSP requests and responses will pass through your proxy server. The benefits of checking certificate status using OCSP instead of or in addition to certificate revocation lists (CRLs) include real-time status responses and reduced usage of network and client resources.

The workflow of OCSP certificate validation through a web proxy is as follows:

An authenticating client (firewall) forwards an OCSP request to the proxy. The request contains the serial number for the certificate the client wants to validate.

The proxy validates the request and identifies the OCSP responder for the certificate authority (CA) that issued the certificate.

The proxy forwards the OCSP request to the responder, and the OCSP responder looks up the revocation status for the certificate in the CA database.

The OCSP responder sends the certificate status (

good

revoked

, or

unknown

) to the proxy.

The proxy forwards the certificate status to the client.

The following procedure assumes you have not set up a web proxy.

Configure a proxy server.

Go to

Device

Setup

Services

, and edit the Services settings.

Edit the Proxy Server settings.

For

Server

, enter the IP address or host name of the proxy server.

Enter a

Port

For

User

, enter a username that an administrator enters to access the proxy server.

Enter and confirm a

Password

that an administrator enters to access the proxy server.

You can also use the following CLI commands to configure your proxy server for OCSP status checks (and CRL downloads).

set deviceconfig system secure-proxy-server <value>

set deviceconfig system secure-proxy-port <1-65535>

set deviceconfig system secure-proxy-user <value>

set deviceconfig system secure-proxy-password <value>

Configure an OCSP responder.

Configure revocation status verification of certificates.

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Next-Generation Firewall Docs

Enable an HTTP Proxy for OCSP Status Checks

Next-Generation Firewall Docs

Enable an HTTP Proxy for OCSP Status Checks

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner