https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/105269#M10962 <P>Out of interest is OCSP traffic allowed by your policy?</P> Sun, 13 Dec 2020 10:35:34 GMT Chris_Atkinson 2020-12-13T10:35:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/89918#M10955 <P>Hi All,</P><P>We are facing weird issue, few of the users are able to access a particular URL and few are not. In Tracker i see the below Detect Message.</P><P>Failed to fetch CRL. Make sure the security gateway has an outgoing http access, and that the proxy and DNS servers are well configured.&nbsp;</P><P>Certificate Validation: CRL Timeout&nbsp;</P><P>We upgraded the firewalls to R80.30 Take 196 2 days back, is that causing the issue? Or what is the solution for this please help.</P><P>Regards,</P><P>Sanjay S</P> Fri, 26 Jun 2020 14:29:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/89918#M10955 Sanjay_S 2020-06-26T14:29:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/90442#M10956 Are the sites HTTPS by chance?<BR />Is HTTPS Inspection enabled?<BR />I could see this happening if both are true since SNI is validated out of band and that does involve checking the cert and CRL. Thu, 02 Jul 2020 21:41:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/90442#M10956 PhoneBoy 2020-07-02T21:41:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/90636#M10957 <P>Is there an open SR for this issue?</P> Mon, 06 Jul 2020 08:09:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/90636#M10957 Nasrat 2020-07-06T08:09:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/91449#M10958 <P>Yes those are https sites and https Inspection blade was enabled.</P><P>The issue was resolved after rebooting the server which was hosting the site. Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 14 Jul 2020 11:57:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/91449#M10958 Sanjay_S 2020-07-14T11:57:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/104500#M10959 <P>I'm seeing this in our logs,&nbsp; we are not running https inspection but I see lots of entries related to "Failed to fetch CRL from the following URL"</P><P>I know the gateway can access the internet.</P> Mon, 07 Dec 2020 12:49:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/104500#M10959 genisis__ 2020-12-07T12:49:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/104583#M10960 <P>Even without HTTPS Inspection, SNI verification is done on HTTPS sites from R80.30+.</P> Mon, 07 Dec 2020 20:42:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/104583#M10960 PhoneBoy 2020-12-07T20:42:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/105267#M10961 <P>Is there something I need to ensure the GW can retrieve these? or is the correct behaviour as a result of SNI verification?</P> Sun, 13 Dec 2020 10:04:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/105267#M10961 genisis__ 2020-12-13T10:04:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/105269#M10962 <P>Out of interest is OCSP traffic allowed by your policy?</P> Sun, 13 Dec 2020 10:35:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CRL-Timeout/m-p/105269#M10962 Chris_Atkinson 2020-12-13T10:35:34Z