Describes certificate revocation list (CRL)-based quarantine, a security mechanism that quarantines devices whose certificates have been revoked and are listed in a certificate revocation list, moving the devices to a staging mode.
Certificate revocation list (CRL)-based quarantine is a security mechanism that
-
quarantines devices whose certificates have been revoked and are listed in a certificate revocation list received from a certificate authority,
-
moves quarantined devices into a staging mode, and
-
generates notifications for quarantined devices to alert administrators.
How CRL-based quarantine works
When the CRL-based quarantine feature is enabled, SD-WAN Manager quarantines devices whose certificates are included in a periodically updated certificate revocation list (CRL), which it receives from a certificate authority (CA).
The feature is disabled by default.
-
At a defined interval, SD-WAN Manager polls a CRL server for the latest CRL, which contains serial numbers of certificates.
The CRL server connects to SD-WAN Manager through VPN 0 or VPN 512.
-
If any serial numbers match the certificates of devices in the fabric, SD-WAN Manager proceeds to quarantine the devices.
-
SD-WAN Manager moves the devices requiring quarantine to a staging mode. This mode shuts down data traffic on the device, but does not remove the certificate from the device. Keeping the certificate on the device allows it to continue its control connection to SD-WAN Manager.
-
SD-WAN Manager generates notifications for the device being quarantined.