>
    Strata Copilot
    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Certificate Revocation
    5. Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
    Download PDF
    Next-Generation Firewall

    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

    Table of Contents

    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

    Verify the revocation status of a certificate used for SSL/TLS decryption.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    Depending on the products you're using, you need at least one of...
    Next-Generation Firewalls (NGFWs) decrypt inbound and outbound SSL/TLS traffic to inspect the traffic for threats. After you create a Security policy rule that allows traffic and apply Security profiles to the rule, create an analogous decryption policy rule to decrypt that traffic. Decryption provides visibility into the traffic, which enables NGFWs to inspect and enforce the Security profiles on the traffic. The NGFW re-encrypts the traffic before forwarding it to its destination. (For details on how this works, see SSL Inbound Inspection and SSL Forward Proxy.)
    You can verify certificate revocation status using the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) methods. If you configure both methods, the NGFW or Panorama first tries the OCSP method. If the OCSP server is unavailable, it uses the CRL method.
    Enabling revocation status verification for SSL/TLS decryption certificates adds time to the process of establishing the session. The first attempt to access a site might fail if the verification does not finish before the session times out. For these reasons, verification is disabled by default.

    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption (Strata Cloud Manager)

    1. Define the service-specific timeout intervals for revocation status checks.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption, and edit the Decryption Settings (
        ). A Decryption Settings window appears.
      2. Under the Certificate Settings for proxying an untrusted site, click Advanced. An Advanced Decryption Settings overlay appears.
      3. Perform one or both of the following steps, depending on whether the firewall will use the Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) method to verify the revocation status of certificates.
        If the firewall will use both, it first tries OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method.
        • In the OCSP section, select Use OCSP to check certificate status, and specify a Receive Timeout (sec) value. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
        • In the CRL section, select Use CRL to check certificate status, and specify a Receive Timeout (sec) value. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the CRL service.
        Depending on the Certificate Status Timeout value you specify in the next step, the firewall might register a timeout before either or both of the Receive Timeout (sec) intervals pass.
      4. Save the Advanced Decryption settings.
    2. Define the total timeout interval for revocation status requests.
      This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies the session-blocking logic you optionally define in step 3.
      1. For Certificate Status Timeout (sec), specify a value between 1-60.
        The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout (sec) as follows:
        • If you enable both OCSP and CRL: The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout (sec) value or the aggregate of the two Receive Timeout (sec) values.
        • If you enable only OCSP: The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout (sec) value or the OCSP Receive Timeout (sec) value.
        • If you enable only CRL: The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout (sec) value or the CRL Receive Timeout (sec) value.
      2. Save the Advanced Decryption Settings.
      3. Save the Decryption Settings.
    3. Define the blocking behavior for a certificate status of “unknown” or a revocation status request timeout.
      1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption, and select an existing Decryption Profile or create a new one.
      2. Edit the Server Certificate Verification settings for SSL/TLS Decryption.
        Select Advanced under the Bypass Checks option. An Advanced SSL Forward Proxy Settings overlay shows the block settings of interest.
        • To block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of “unknown,” select Block sessions with unknown certificate status. Otherwise, the firewall proceeds with the session.
        • To block SSL/TLS sessions after the firewall registers a request timeout, select Block sessions on certificate status check timeout. Otherwise, the firewall proceeds with the session.
      3. Save the Advanced SSL Forward Proxy settings.
      4. Save the Decryption Profile.
    4. To commit your changes, click Push Config Push.

    Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption (PAN-OS & Panorama)

    1. Define the service-specific timeout intervals for revocation status requests.
      1. Select DeviceSetupSession and, in the Session Features section, select Decryption Certificate Revocation Settings.
      2. Perform one or both of the following steps, depending on whether the firewall will use Online Certificate Status Protocol (OCSP) or the Certificate Revocation List (CRL) method to verify the revocation status of certificates. If the firewall will use both, it first tries OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method.
        • In the CRL section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the CRL service.
        • In the OCSP section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
        Depending on the Certificate Status Timeout value you specify in step 2, the firewall might register a timeout before either or both of the Receive Timeout intervals pass.
    2. Define the total timeout interval for revocation status requests.
      1. Enter the Certificate Status Timeout.
        This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies the session-blocking logic you optionally define in step 3. The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as follows:
        • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the aggregate of the two Receive Timeout values.
        • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the OCSP Receive Timeout value.
        • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the CRL Receive Timeout value.
      2. Click OK.
    3. (Optional) Define the blocking behavior for a certificate status of “unknown” or a revocation status request timeout.
      1. Select Objects Decryption Decryption Profile, and select an existing profile or create a new one.
      2. Edit the SSL Forward Proxy Server Certificate Verification settings.
        • To block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of “unknown,” select Block sessions with unknown certificate status. Otherwise, the firewall proceeds with the session.
        • To block SSL/TLS sessions after the firewall registers a request timeout, select Block sessions on certificate status check timeout. Otherwise, the firewall proceeds with the session.
      3. Click OK.
    4. Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.