1.6.1 Ensure 'Verify Update Server Identity' is enabled

Information

This setting determines whether or not the identity of the update server must be verified before performing an update session.

Note that if an SSL Forward Proxy is configured to intercept the update session, this option may need to be disabled.
Rationale:
Verifying the update server identity before package download ensures the packages originate from a trusted source. Without this, it is possible to receive and install an update from a malicious source.

Solution

Navigate to Device > Setup > Services > Services.
Set the Verify Update Server Identity box to checked.
or
To remediate this setting, execute the following CLI command:
username@hostname#set deviceconfig system server-verification yes
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2(5), CSCv6|11

Plugin: Palo_Alto

Control ID: d42452be6ccf9dd30747dbc52ee4956212f9b4044b18c72b609ea2d25aca1d1b