7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone

Information

When permitting traffic from an untrusted zone, such as the Internet or guest network, to a more trusted zone, such as a DMZ segment, create security policies specifying which specific applications are allowed. Enhanced Security Recommendation: Require specific application policies when allowing any traffic, regardless of the trust level of a zone. This may require SSL interception, and may also not be possible in all environments.
Rationale:
To avoid unintentionally exposing systems and services, rules allowing traffic from untrusted zones to trusted zones should be as specific as possible. Application-based rules, as opposed to service/port rules, further tighten what traffic is allowed to pass.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Policies > Security.
Set a Security Policy with: Source: Zone set to OUTSIDE Address set to any Destination Destination: Zone set to DMZ Address set to Application set to web-browsing Service set to application-default

Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1664

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CSCv6|14

Plugin: Palo_Alto

Control ID: d709bfc283b3d551d7ec8af0906cd72a03b96d1e4e403a0a2405b96f0d80c916