Hi,
for 1: No. Do you have any details about the URLs which are called so I can have a look?
for 2: For the Known CAs in the Web Gateway there are also lists which contains all the CRL and OCSP responder URLs. You can make a rule that allows access if a URL from these lists is queried. There is not an existing rule set, but the rule would be like
URL is in list <Known CRL URLs> OR
URL is in list <Known OCSP URLs>
Action: Stop Cycle
Best,
Andre