cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Web browsers unable to check for certificate revocation

We have a 5200 running R80.20.

We were experiencing some problems with HTTPS Inspection so we have turned that blade off.

The enabled blades are Firewall, Application Control, URL Filtering, Content Awareness, IPS Threat Emulation, Anti-Bot, Anti-Virus.

We have started to receive reports from users of browser pop ups complaining about unable to check certificate revocation.

cert_issue.JPG

I have not been to find any errors in the logs that relate to this, and it is not every site.

In both the examples I have witnessed the CA is Digicert.

Searching the KB doesn't bring up anything regarding needing to configure specific rules for CRL downloads, but I also haven't been to find out if the firewall caches or periodically downloads CRL info if the HTTPS Inspection blade is off.

Any help appreciated.

Thanks

Pedro

 

0 Kudos
2 Replies
Admin
Admin

Re: Web browsers unable to check for certificate revocation

Since you're not doing HTTPS Inspection, the browser is doing the CRL checking and, unless your outbound Internet policy is restrictive, the firewall shouldn't impede this.
Do you see any drops originating from the client in the logs?
0 Kudos

Re: Web browsers unable to check for certificate revocation

Not seeing any drops which is strange. The outbound policy allows normal browsing so it doesn't make much sense.
0 Kudos