Hi!
I wish to implement OSCP Stapling for some (not all) firewall policies referencing a "firewall ssl-ssh-profile" with "inspect-all" set to "deep-inspection".
KB 198293 comments on "vpn certificate setting", "vpn certificate ocsp-server" and notes "client traffic which requires OCSP validation is expected to have SSL deep inspection enabled on the firewall policy.", however, it does not document how to enable OSCP Stapling on granular basis (in other words, not universally).
In "config firewall ssl-ssh-profile" I can see "revoked-server-cert" field, but this implies being subsequent to the result from OSCP responder - it does not enable/disable support for OSCP Stapling (requiring on-demand sending 'OCSP request' certificate's CA).
So, how can OSCP Stapling feature be explicitly enabled for some firewall policies but not others?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
"config vpn certificate setting" is configured per VDOM. Technically it is possible to enable OSCP on one VDOM and disable on another VDOM, however such design is very questionable.
Is there a particular reason why OSCP should be configured per firewall policy?
Created on 08-22-2024 01:46 PM Edited on 08-23-2024 06:55 AM
Hi @abarushka
My requirement is either on per-firewall policy or per-ssl-ssh-profile basis. However, your response seems to indicate neither is possible - it’s either whole VDOM or nothing - correct?
R’s, Feren
Hi Feren,
It is not possible to configure required oscp behavior under firewall policy / DPI profile.
I cannot think about more elegant solution than VDOM.
You may consider to contact Fortinet local sales representative to request a new feature.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.