1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals

Information

The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
* It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
* The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
* The key length used to encrypt the certificate should be 2048 bits or more.
* The hash used to sign the certificate should be SHA-2 or better.
Rationale:
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create a CSR and install a certificate from a public CA here:
Navigate to Device > Management > Certificate Management > Certificates

Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Server Certificate

Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > General > Server Certificate
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-17, CSCv6|14.2

Plugin: Palo_Alto

Control ID: c0c7cabf5f8734330e225db04d7251df779a284450eed0865d7f251473d2a6b7