Details
The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
* It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
* The certificate should have a valid date. It should not have a “to” date in the past (it should not be expired), and should not have a “from” date in the future.
* The key length used to encrypt the certificate should be 2048 bits or more.
* The hash used to sign the certificate should be SHA-2 or better.
Rationale:
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a “Man in the Middle” attack.
Solution
Create a CSR and install a certificate from a public CA here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Profile
Default Value:
Not configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Palo_Alto.