Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

The firewall decrypts inbound and outbound SSL/TLS traffic to apply security rules and rules, then re-encrypts the traffic before forwarding it. (For details, see SSL Inbound Inspection and SSL Forward Proxy.) You can configure the firewall to verify the revocation status of certificates used for decryption as follows.
Enabling revocation status verification for SSL/TLS decryption certificates will add time to the process of establishing the session. The first attempt to access a site might fail if the verification does not finish before the session times out. For these reasons, verification is disabled by default.
  1. Define the service-specific timeout intervals for revocation status requests.
    1. Select
      Device
      Setup
      Session
      and, in the Session Features section, select
      Decryption Certificate Revocation Settings
      .
    2. Perform one or both of the following steps, depending on whether the firewall will use Online Certificate Status Protocol (OCSP) or the Certificate Revocation List (CRL) method to verify the revocation status of certificates. If the firewall will use both, it first tries OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method.
      • In the CRL section, select the
        Enable
        check box and enter the
        Receive Timeout
        . This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the CRL service.
      • In the OCSP section, select the
        Enable
        check box and enter the
        Receive Timeout
        . This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
      Depending on the
      Certificate Status Timeout
      value you specify in Step 2, the firewall might register a timeout before either or both of the
      Receive Timeout
      intervals pass.
  2. Define the total timeout interval for revocation status requests.
    Enter the
    Certificate Status Timeout
    . This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies the session-blocking logic you optionally define in Step 3. The
    Certificate Status Timeout
    relates to the OCSP/CRL
    Receive Timeout
    as follows:
    • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
      Certificate Status Timeout
      value or the aggregate of the two
      Receive Timeout
      values.
    • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the
      Certificate Status Timeout
      value or the OCSP
      Receive Timeout
      value.
    • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
      Certificate Status Timeout
      value or the CRL
      Receive Timeout
      value.
  3. Define the blocking behavior for unknown certificate status or a revocation status request timeout.
    If you want the firewall to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown, select the
    Block Session With Unknown Certificate Status
    check box. Otherwise, the firewall proceeds with the session.
    If you want the firewall to block SSL/TLS sessions after it registers a request timeout, select the
    Block Session On Certificate Status Check Timeout
    check box. Otherwise, the firewall proceeds with the session.
  4. Click
    OK
    and
    Commit
    .

Related Documentation