Details
In most cases, a browser HTTPS interface is used to administer the Palo Alto appliance. The certificate used to secure this session should satisfy the following criteria:
A valid certificate from a trusted source should be used. While a certificate from a trusted Public Certificate Authority is certainly valid, one from a trusted Private Certificate Authority is absolutely acceptable for this purpose.
The certificate should have a valid date. It should not have a ‘to’ date in the past (it should not be expired), and should not have a ‘from’ date in the future.
The certificate should use an acceptable cipher and encryption level.
Rationale:
If a certificate that is self-signed, expired, or otherwise invalid is used for the browser HTTPS interface, administrators in most cases will not be able to tell if their session is being eavesdropped on or injected into by a ‘Man in the Middle’ attack.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Create or acquire a certificate that meets the stated criteria and set it:
Navigate to Device > Certificate Management > Certificates
Import an appropriate Certificate for your administrative session, from a trusted Certificate Authority.
Navigate to Device > Certificate Management > SSL/TLS Service Profile
Choose or import the certificate you want to use for the web based administrative session.
Navigate to Device > Setup > Management > General Settings > SSL/TLS Service Profile
Choose the Service Profile that you have configured
Impact:
If the default self-signed certificate is used, an administrator will not be able to clearly tell if their HTTPS session is being hijacked or not. Using a trusted certificate ensures that the session is both encrypted and trusted.
Default Value:
A self-signed certificate is installed by default for the administrative interface.
References:
‘How to Configure a Certificate for Secure Web GUI Access’ – https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-configure-a-certificate-for-secure-web-gui-access/ta-p/68653
‘PAN-OS Administrator’s Guide 9.0 (English) – Best Practices for Securing Administrative Access’: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html#
Notes:
Verify that the clock is both accurate and reliable on both the Palo Alto and on the administrative workstations before setting the SSL/TLS Service Profile. Inaccurate or mismatched clocks will result in certificate errors and can result in loss of HTTPS administrative access.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication, System and Communications Protection.This control applies to the following type of system Palo_Alto.