GP client still allowed access to the firewall after revoking their client certificate when Firewall is configured as OCSP responder.
10628
Created On 12/18/19 04:50 AM - Last Modified 04/21/21 01:16 AM
Symptom
After revoking the client certificate on the firewall configured as OCSP responder, GlobalProtect (GP) clients are still allowed access within one hour of revoking the certificates
Environment
- Any PAN-OS.
- GP client version 4.1 and above..
- Palo Alto Firewall configured as OCSP responder.
Cause
When the firewall is configured as OCSP responder, it maintains a list of certificates which the Certificate Authority (CA) has validated and/or revoked. These lists are cached on both Management Plane (MP) and Data Plane (DP) on the firewall. Per design, these lists of cached certificates doesn't get updated in realtime and by default, this lists or cached only gets updated every hour. Therefore, the firewall may still allow the GP client with revoked user certificate to allow access to the firewall within one hour after revoking their certificates. This behavior is as expected.
In order for the revoked certificate to become effective immediately, the ocsp cache on the firewall need to be flushed or cleared using the CLI commands.
Resolution
Clear cached certificates on the firewall ocsp responder to immediately revoke the client certificate so that the clients new connections are denied
> debug sslmgr delete ocsp allAdditional Information
Here are some additional commands that may be useful.
- To view the default ocsp update timer (default=60 minutes).
> debug sslmgr show ocsp-next-update-time
- To edit ocsp update timer use the command below. Note that changing the ocsp update timer is possible only from CLI and changes is not retained after rebooting the firewall.
> debug sslmgr set ocsp-next-update-time <1-10080> => (configured value is in minutes)
- To view configured ocsp responder
> debug sslmgr view ocsp all
- To check for oscp statistics:
> debug sslmgr statistics