When establishing an SSL/TLS session, clients can use
Online Certificate Status Protocol (OCSP) to check the revocation status
of the authentication certificate. The authenticating client sends
a request containing the serial number of the certificate to the
OCSP responder (server). The responder searches the database of
the certificate authority (CA) that issued the certificate and returns
a response containing the status (good, revoked or unknown) to the
client. The advantage of the OCSP method is that it can verify status
in real-time, instead of depending on the issue frequency (hourly,
daily, or weekly) of CRLs.
The Palo Alto Networks firewall downloads and caches OCSP status
information for every CA listed in the trusted CA list of the firewall. Caching
only applies to validated certificates; if a firewall never validated
a certificate, the firewall cache does not store the OCSP information
for the issuing CA. If your enterprise has its own public key infrastructure
(PKI), you can configure the firewall as an OCSP responder (see Configure
an OCSP Responder).
The following applications use certificates to authenticate users
and/or devices: Captive Portal, GlobalProtect (remote user-to-site
or large scale), site-to-site IPSec VPN, and web interface access
to Palo Alto Networks firewalls or Panorama. To use OCSP for verifying
the revocation status of the certificates:
Configure an OCSP responder
(if you are configuring the firewall as an OCSP responder).
Enable the HTTP OCSP service on the firewall (if you are
configuring the firewall as an OCSP responder).
Create or obtain a certificate for each application.
Configure a certificate profile for each application.
Assign the certificate profile to the relevant application.