When establishing an SSL/TLS session, clients can use
Online Certificate Status Protocol (OCSP) to check the revocation
status of the authentication certificate. The authenticating client
sends a request containing the serial number of the certificate
to the OCSP responder (server). The responder searches the database
of the certificate authority (CA) that issued the certificate and
returns a response containing the status (good, revoked or unknown)
to the client. The advantage of the OCSP method is that it can verify
status in real-time, instead of depending on the issue frequency
(hourly, daily, or weekly) of CRLs.
The Palo Alto Networks firewall downloads and caches OCSP status
information for every CA listed in the trusted CA list of the firewall.
Caching only applies to validated certificates; if a firewall never
validated a certificate, the firewall cache does not store the OCSP
information for the issuing CA. If your enterprise has its own public
key infrastructure (PKI), you can configure the firewall as an OCSP
responder (see Configure
an OCSP Responder).
The following applications use certificates to authenticate users
and/or devices: Authentication Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP for verifying
the revocation status of the certificates:
Configure an OCSP responder
(if you are configuring the firewall as an OCSP responder).
Enable the HTTP OCSP service on the firewall (if you are
configuring the firewall as an OCSP responder).
Create or obtain a certificate for each application.
Configure a certificate profile for each application.
Assign the certificate profile to the relevant application.