Details
In most cases, a browser HTTPS interface is used to administer the Palo Alto appliance. The certificate used to secure this session should satisfy the following criteria:
1. A valid certificate from a trusted source should be used. While a certificate from a trusted Public Certificate Authority is certainly valid, one from a trusted Private Certificate Authority is absolutely acceptable for this purpose.
2. The certificate should have a valid date. It should not have a “to” date in the past (it should not be expired), and should not have a “from” date in the future.
3. The certificate should use an acceptable cipher and encryption level.
Rationale:
If a certificate that is self-signed, expired, or otherwise invalid is used for the browser HTTPS interface, administrators in most cases will not be able to tell if their session is being eavesdropped on or injected into by a “Man in the Middle” attack.
Solution
If a new administrative certificate is needed, acquire a certificate that meets the stated criteria and set it:
Navigate to Device > Certificate Management > Certificates
Set an appropriately named Certificate Profile for Management Interface Access:
Navigate to Device > Certificate Management > Certificate Profile
Set the Authentication Profile field so it contains the Certificate Profile created for Management Interface Access:
Navigate to Device > Setup > Management (tab) > Authentication Settings > Authentication Profile (field)
Default Value:
A self-signed certificate is installed by default for the administrative interface.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Palo_Alto.