Palo Alto Networks firewalls can use the Online Certificate Status Protocol (OCSP) to check the revocation status of X.509 digital certificates (SSL/TLS certificates). The advantages of using OCSP instead of or in addition to certificate revocation lists (CRLs) are real-time certificate status responses and usage of fewer network and client resources. Certificate status can be good, revoked, or unknown.

After you enable certificate verification using OCSP, the firewall verifies the status of a certificate when establishing an SSL/TLS session. First, an authenticating client (firewall) sends an status request to an OCSP responder (server). The request includes the serial number of the target certificate. Certificates are not accepted until the responder provides a status response. Next, the OCSP responder uses the serial number to search the database of the CA that issued the certificate for its revocation status. Then, the OCSP responder returns the certificate status to the client. The firewall drops sessions with revoked certificates.

Palo Alto Networks firewalls download and cache OCSP responses for every CA in the trusted CA list of the firewall. The cache includes OCSP responses for an issuing CA only if the firewall has already validated a certificate. Caching OCSP responses speeds up the response time and minimizes OCSP traffic to the responder.

The following applications use certificates to authenticate users and devices: Authentication Portal, GlobalProtect (remote user-to-site or large scale), site-to-site IPSec VPN, and web interface access to Palo Alto Networks firewalls or Panorama. To use OCSP to verify the revocation status of certificates that authenticate users and devices, perform the following steps: