Next-Generation Firewall
Configure an OCSP Responder
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Configure an OCSP Responder
To verify the revocation status of certificates with the Online Certificate Status
Protocol (OCSP), define an external OCSP responder or configure an NGFW itself as an OCSP
responder.
To use Online Certificate Status Protocol (OCSP) for verifying the revocation
status of certificates, you must configure the firewall to access an OCSP responder
(server). The entity that manages the OCSP responder can be a third-party
certificate authority (CA). If your enterprise has its own public key infrastructure
(PKI), you can use external OCSP responders or you can configure the firewall itself
as an OCSP responder. For details on OCSP, see Certificate
Revocation.
Configure an OCSP responder Certificate Profile only when you
generate a new certificate (DeviceCertificate ManagementCertificates). Specify the OCSP Responder when you
generate a new certificate so that the firewall populates the Authority
Information Access (AIA) field with the appropriate URL and then specify the new
certificate in the Certificate Profile. Configuring a Certificate Profile does
not override the Certificate Profile for existing certificates or Root
CAs.
You can enable OCSP validation or override the AIA field of
certificate in the Certificate Profile. The Certificate
Profile configuration determines which certificate validation mechanisms are
used on certificates that authenticate to services hosted on the firewall, such
as GlobalProtect.
- Define an external OCSP responder or configure the firewall itself as an OCSP responder.
- Select DeviceCertificate ManagementOCSP Responder and click Add.Enter a Name to identify the responder (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.In the Host Name field, enter the host name (recommended) or IP address of the OCSP responder. You can enter an IPv4 or IPv6 address. From this value, PAN-OS automatically derives a URL and adds it to the certificate being verified.If you configure the firewall itself as an OCSP responder, the host name must resolve to an IP address in the interface that the firewall uses for OCSP services.Click OK.If you want the firewall to use the management interface for the OCSP responder interface, enable OCSP communication on the firewall. Otherwise, continue to the next step to configure an alternate interface.
- Select DeviceSetupInterfacesManagement.In the Network Services section, select the HTTP OCSP check box, then click OK.To use an alternate interface as the OCSP responder interface, add an Interface Management Profile to the interface used for OCSP services.
- Select NetworkNetwork ProfilesInterface Mgmt.Click Add to create a new profile or click the name of an existing profile.Select the HTTP OCSP check box and click OK.Select NetworkInterfaces and click the name of the interface that the firewall will use for OCSP services. The OCSP Host Name specified in Step 1 must resolve to an IP address in this interface.Select AdvancedOther info and select the Interface Management Profile you configured.Click OK and Commit.