When certificate revocation status checking is configured for CRL and OCSP, the firewall will check by default only against the CRL, regardless of whether the result will be returned as 'GOOD' or 'REVOKED'. 

The CRL is not usually updated very frequently, and this might lead to incorrect certificate status, opposed to the user's desire, meaning that the CRL can return the certificate revocation status of 'GOOD' while the certificate has already been revoked and the CRL has not been updated yet.  

An OCSP revocation check uses the Online Certificate Status Protocol (OCSP) to query a server for the real-time revocation status of a digital certificate, providing a faster alternative to downloading and checking large Certificate Revocation Lists (CRLs).

To enforce the OSCP revocation check simultaneously with the CRL revocation check, the status of the OCSP has to be set to mandatory under the certificate settings. 

config vpn certificate setting
    set ocsp-status mandatory
end

After the OCSP status is set to mandatory, the certificate revocation status will be checked as follows:

• If the CRL revocation check returns status 'GOOD', the OCSP server will be polled to check the certificate revocation status.
• If the CRL revocation check returns status 'REVOKED', no further query is made towards the OCSP server.