Configure settings for certificate validation

Certificate validation settings allow you to define the settings that the NGFW Engine uses when it connects to a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) server.

The NGFW Engine validates certificates and checks the certificate revocation status for features that have certificate validation and certificate revocation checks enabled, such as features that use a TLS Profile in the configuration.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall, IPS, or Layer 2 Firewall element, then select Edit <element type>.
  2. Browse to Advanced Settings > Certificate Validation.
  3. (Optional) If the NGFW Engine cannot access external networks directly, select the HTTP proxy through which OCSP and CRL lookups are sent.
  4. (Optional) Enter the timeout for communication from the NGFW Engine to the CRL or OSCP server.
    The default timeout is 120 seconds.
  5. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Certificate Validation

Use this branch to specify settings for certificate validation and revocation status checks on the engine. The settings are used for features that have certificate validation and certificate revocation checks enabled.

Option Definition
HTTP Proxy

(Optional)

 When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly.
Timeout for OCSP and CRL Lookups The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds.