Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pedro_Silva
Contributor

Web browsers unable to check for certificate revocation

We have a 5200 running R80.20.

We were experiencing some problems with HTTPS Inspection so we have turned that blade off.

The enabled blades are Firewall, Application Control, URL Filtering, Content Awareness, IPS Threat Emulation, Anti-Bot, Anti-Virus.

We have started to receive reports from users of browser pop ups complaining about unable to check certificate revocation.

cert_issue.JPG

I have not been to find any errors in the logs that relate to this, and it is not every site.

In both the examples I have witnessed the CA is Digicert.

Searching the KB doesn't bring up anything regarding needing to configure specific rules for CRL downloads, but I also haven't been to find out if the firewall caches or periodically downloads CRL info if the HTTPS Inspection blade is off.

Any help appreciated.

Thanks

Pedro

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Since you're not doing HTTPS Inspection, the browser is doing the CRL checking and, unless your outbound Internet policy is restrictive, the firewall shouldn't impede this.
Do you see any drops originating from the client in the logs?
0 Kudos
Pedro_Silva
Contributor

Not seeing any drops which is strange. The outbound policy allows normal browsing so it doesn't make much sense.
0 Kudos