https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272419#M103784 <P>1. A domain based HTTPs bypass has already been implemented prior to any probing based rules.</P><P>2. the OSCP server is reachable but it is returning a 401 unauthorized error code.&nbsp;</P><P>3. they are using private certs, I have added the full chain to the trusted CAs list.&nbsp;</P><P>&nbsp;</P><P>I am going to be getting a TAC case opened for it</P><P>&nbsp;</P> Tue, 03 Mar 2026 19:23:35 GMT Austin35 2026-03-03T19:23:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272252#M103726 <P>Hello everyone,</P><P>We recently enabled HTTPs encryption, with an implied bypass except a few hosts for testing.</P><P>HTTPs inspection is also completely in fail-open mode.&nbsp;</P><P>One of our servers that is using an API out to an internet endpoint has been having issues, first it was related to https inspection probing but adding a domain based exception prior to probing rules has fixed that issue. But recently we have been seeing intermittent errors with it.&nbsp;</P><P>Only thing I see in logs is an app/url Detect for an unreachable OSCP server. Exact Error message below</P><P>OCSP responder returned an 'unauthorized' status reply. Refer to sk159872 for more details.<BR />Certificate DN: '...........' Requested Server Name: ............ See sk159872</P><P>I tried adding the entire cert chain to the trusted CA list to no avail.&nbsp;</P><P>I more than likely will be getting a tac case opened for this but was wondering if anyone knew of any quick options here.&nbsp;</P><P>Thanks,&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Mar 2026 17:48:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272252#M103726 Austin35 2026-03-02T17:48:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272353#M103753 <P>Here are some testing point I can think of,</P> <P>1. Bypass https inspection for this specific API flow and check</P> <P>2. Use ping and curl command from CLI to test connectivity with OCSP server domain name</P> <P>3. Make sure checkpoint's trusted CA list is up to date. Generally, it is automatic update but good to verify</P> Tue, 03 Mar 2026 11:40:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272353#M103753 Gaurav_Pandya 2026-03-03T11:40:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272416#M103778 <P>Assuming this is an R82/R82.10 gateway, the following might also apply:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk184766" target="_blank">https://support.checkpoint.com/results/sk/sk184766</A>&nbsp;</P> Tue, 03 Mar 2026 19:12:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272416#M103778 PhoneBoy 2026-03-03T19:12:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272418#M103783 <P>My bad I always forget to mention that. Yes we are running R82. This has been happening for roughly a month now and the CRL validation impacted or MAB certificates but the work around has already been applied there.&nbsp;</P> Tue, 03 Mar 2026 19:19:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272418#M103783 Austin35 2026-03-03T19:19:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272419#M103784 <P>1. A domain based HTTPs bypass has already been implemented prior to any probing based rules.</P><P>2. the OSCP server is reachable but it is returning a 401 unauthorized error code.&nbsp;</P><P>3. they are using private certs, I have added the full chain to the trusted CAs list.&nbsp;</P><P>&nbsp;</P><P>I am going to be getting a TAC case opened for it</P><P>&nbsp;</P> Tue, 03 Mar 2026 19:23:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/App-amp-URL-Filtering-OSCP-Responder-Failure/m-p/272419#M103784 Austin35 2026-03-03T19:23:35Z