Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption
Focus
Focus

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Table of Contents

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Verify the revocation status of a certificate used for SSL/TLS decryption.
Where Can I Use This?What Do I Need?
  • NGFW
  • Prisma Access
Depending on the products you're using, you need at least one of...
The firewall decrypts inbound and outbound SSL/TLS traffic to inspect the traffic for threats. When you create a Security policy rule that allows traffic and apply Security profiles to the rule, create an analogous Decryption policy rule to decrypt that traffic. If you don’t decrypt the traffic, the firewall can’t use the Security profiles to inspect the traffic (you can’t inspect what you can’t see). The firewall re-encrypts the traffic before forwarding it. (See SSL Inbound Inspection and SSL Forward Proxy.) You can configure the firewall to verify the revocation status of certificates used for decryption as follows.
Enabling revocation status verification for SSL/TLS decryption certificates adds time to the process of establishing the session. The first attempt to access a site might fail if the verification does not finish before the session times out. For these reasons, verification is disabled by default.