1.2.4 Ensure valid certificate is set for browser-based administrator interface - Certificate Profiles

Information

In most cases, a browser HTTPS interface is used to administer the Palo Alto appliance. The certificate used to secure this session should satisfy the following criteria:
1. A valid certificate from a trusted source should be used. While a certificate from a trusted Public Certificate Authority is certainly valid, one from a trusted Private Certificate Authority is absolutely acceptable for this purpose.
2. The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
3. The certificate should use an acceptable cipher and encryption level.
Rationale:
If a certificate that is self-signed, expired, or otherwise invalid is used for the browser HTTPS interface, administrators in most cases will not be able to tell if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If a new administrative certificate is needed, acquire a certificate that meets the stated criteria and set it:
Navigate to Device > Setup > Certificate Management > Certificates
Set an appropriately named Certificate Profile for Management Interface Access:

Navigate to Device > Setup > Certificate Management > Certificate Profile

Set the Authentication Profile field so it contains the Certificate Profile created for Management Interface Access:

Navigate to Device > Setup > Management (tab) > Authentication Settings > Authentication Profile (field)
Default Value:
A self-signed certificate is installed by default for the administrative interface.

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-17, CSCv6|3.4, CSCv6|14.2, CSCv6|16.13

Plugin: Palo_Alto

Control ID: 2d8e12eb85f0c10e660fb16aa73cb2a54a919fcb760785fe4e2bf0218b4c37d5