Detections
Analytics

4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For SSL Forward Proxy configurations, there are classes of users that need to be considered.

1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.

2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.

Rationale:

Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's 'man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type.

Solution

Set the CA Certificate(s):
Navigate to Device > Certificate Management > Certificates. Import the appropriate CA Certificates from any internal Certificate Authorities.
Alternatively, generate a self-signed certificate for an internal CA on the firewall, and then import the root certificate for that CA into the trusted CA list of target clients. In an Active Directory environment this can be facilitated using a Group Policy.
Set the Certificate Profile needed for the SSL Forward Proxy:

Navigate to Device > Certificate Management > Certificate Profile.

Set the decryption profile to include the settings described in the SSL Forward Proxy guidance in this document

Default Value:

Decryption is not enabled by default.

References:

'How to Implement and Test SSL Decryption' - https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

'PAN-OS Administrator's Guide 9.0 (English) - Decryption (English)' - https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption.html#

'SSL Certificates Resource List on Configuring and Troubleshooting' - https://live.paloaltonetworks.com/t5/Management-Articles/SSL-certificates-resource-list/ta-p/53068

'Certificates' - http://palo-alto.wikia.com/wiki/Certificates

See Also

https://workbench.cisecurity.org/files/2692

Item Details

References: CSCv6|12, CSCv6|12.5, CSCv7|12, CSCv7|12.9, CSCv7|12.10

Plugin: Palo_Alto

Control ID: f5edfb78828b2412752200d5279d65adf4ab22b3fc1c92ef984c300d33f5624d