Set Up Verification for Certificate Revocation Status
To verify the revocation status of certificates, the firewall uses Online Certificate Status Protocol (OCSP) and/or certificate revocation lists (CRLs). For details on these methods, see Certificate Revocation If you configure both methods, the firewall first tries OCSP and only falls back to the CRL method if the OCSP responder is unavailable. If your enterprise has its own public key infrastructure (PKI), you can configure the firewall to function as the OCSP responder.
The following topics describe how to configure the firewall to verify certificate revocation status:
Configure an OCSP Responder
To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of certificates, you must configure the firewall to access an OCSP responder (server). The entity that manages the OCSP responder can be a third-party certificate authority (CA) or, if your enterprise has its own public key infrastructure (PKI), the firewall itself. For details on OCSP, see Certificate Revocation
Configure an OCSP Responder
Define an OCSP responder. Select Device > Certificate Management > OCSP Responder and click Add. Enter a Name to identify the responder (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate. In the Host Name field, enter the host name (recommended) or IP address of the OCSP responder. From this value, PAN-OS automatically derives a URL and adds it to the certificate being verified. If you configure the firewall itself as an OCSP responder, the host name must resolve to an IP address in the interface that the firewall uses for OCSP services. Click OK.
Enable OCSP communication on the firewall. Select Device > Setup > Management. In the Management Interface Settings section, edit to select the HTTP OCSP check box, then click OK.
( Optional ) To configure the firewall itself as an OCSP responder, add an Interface Management Profile to the interface used for OCSP services. Select Network > Network Profiles > Interface Mgmt. Click Add to create a new profile or click the name of an existing profile. Select the HTTP OCSP check box and click OK. Select Network > Interfaces and click the name of the interface that the firewall will use for OCSP services. The OCSP Host Name specified in Step 1 must resolve to an IP address in this interface. Select Advanced > Other info and select the Interface Management Profile you configured. Click OK and Commit.
Configure Revocation Status Verification of Certificates
The firewall and Panorama use certificates to authenticate users and devices for such applications as Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web interface access to the firewall/Panorama. To improve security, it is a best practice to configure the firewall or Panorama to verify the revocation status of certificates that it uses for device/user authentication.
Configure Revocation Status Verification of Certificates
Configure a Certificate Profile for each application. Assign one or more root CA certificates to the profile and select how the firewall verifies certificate revocation status. The common name (FQDN or IP address) of a certificate must match an interface to which you apply the profile in Step 2. For details on the certificates that various applications use, see Keys and Certificates
Assign the certificate profiles to the relevant applications. The steps to assign a certificate profile depend on the application that requires it.
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
The firewall decrypts inbound and outbound SSL/TLS traffic to apply security rules and rules, then re-encrypts the traffic before forwarding it. (For details, see SSL Inbound Inspection and SSL Forward Proxy.) You can configure the firewall to verify the revocation status of certificates used for decryption as follows.
Enabling revocation status verification for SSL/TLS decryption certificates will add time to the process of establishing the session. The first attempt to access a site might fail if the verification does not finish before the session times out. For these reasons, verification is disabled by default.
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
Define the service-specific timeout intervals for revocation status requests. Select Device > Setup > Session and, in the Session Features section, select Decryption Certificate Revocation Settings. Perform one or both of the following steps, depending on whether the firewall will use Online Certificate Status Protocol (OCSP) or the Certificate Revocation List (CRL) method to verify the revocation status of certificates. If the firewall will use both, it first tries OCSP; if the OCSP responder is unavailable, the firewall then tries the CRL method. In the CRL section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the CRL service. In the OCSP section, select the Enable check box and enter the Receive Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from the OCSP responder. Depending on the Certificate Status Timeout value you specify in Step 2, the firewall might register a timeout before either or both of the Receive Timeout intervals pass.
Define the total timeout interval for revocation status requests. Enter the Certificate Status Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies the session-blocking logic you optionally define in Step 3. The Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as follows: If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the aggregate of the two Receive Timeout values. If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the OCSP Receive Timeout value. If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the CRL Receive Timeout value.
Define the blocking behavior for unknown certificate status or a revocation status request timeout. If you want the firewall to block SSL/TLS sessions when the OCSP or CRL service returns a certificate revocation status of unknown, select the Block Session With Unknown Certificate Status check box. Otherwise, the firewall proceeds with the session. If you want the firewall to block SSL/TLS sessions after it registers a request timeout, select the Block Session On Certificate Status Check Timeout check box. Otherwise, the firewall proceeds with the session.
Save and apply your entries. Click OK and Commit.

Related Documentation