1.6.1 Ensure 'Verify Update Server Identity' is enabled

Information

This setting determines whether or not the identity of the update server must be verified before performing an update session. Note that if an SSL Forward Proxy is configured to intercept the update session, this option may need to be disabled (because the SSL Certificate will not match).

Rationale:

Verifying the update server identity before package download ensures the packages originate from a trusted source. Without this, it is possible to receive and install an update from a malicious source.

Impact:

This setting protects the device from an 'evilgrade' attack, where a successful DNS attack can redirect the firewall to an attacker-controlled update server, which can then serve a modified update.

Solution

Navigate to Device > Setup > Services > Services.
Set the Verify Update Server Identity box to checked.

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: Palo_Alto

Control ID: 27cd5f8ad7b567302f5786e4be800c390130c4dcb5f2b9dd0a80b3e58a2950db