1.2.5 Ensure valid certificate is set for browser-based administrator interface

Information

In most cases, a browser HTTPS interface is used to administer the Palo Alto appliance. The certificate used to secure this session should satisfy the following criteria:

A valid certificate from a trusted source should be used. While a certificate from a trusted Public Certificate Authority is certainly valid, one from a trusted Private Certificate Authority is absolutely acceptable for this purpose.

The certificate should have a valid date. It should not have a 'to' date in the past (it should not be expired), and should not have a 'from' date in the future.

The certificate should use an acceptable cipher and encryption level.

Rationale:

If a certificate that is self-signed, expired, or otherwise invalid is used for the browser HTTPS interface, administrators in most cases will not be able to tell if their session is being eavesdropped on or injected into by a 'Man in the Middle' attack.

Impact:

If the default self-signed certificate is used, an administrator will not be able to clearly tell if their HTTPS session is being hijacked or not. Using a trusted certificate ensures that the session is both encrypted and trusted.

Solution

Create or acquire a certificate that meets the stated criteria and set it:
Navigate to Device > Certificate Management > Certificates
Import an appropriate Certificate for your administrative session, from a trusted Certificate Authority.
Navigate to Device > Certificate Management > SSL/TLS Service Profile
Choose or import the certificate you want to use for the web based administrative session.
Navigate to Device > Setup > Management > General Settings > SSL/TLS Service Profile
Choose the Service Profile that you have configured

Default Value:

A self-signed certificate is installed by default for the administrative interface.

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4, CSCv7|16.5

Plugin: Palo_Alto

Control ID: 802ef779a886e8801962646fed6bc816c1f76a28f9d59abda39178f640f655d9