8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS

Information

Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS.

Rationale:

Without SSL Inbound Inspection, the firewall is not able to protect SSL or TLS-enabled webservers against many threats.

Impact:

Not decrypting inbound traffic to TLS encrypted services means that inspection for many common attacks cannot occur on the firewall. This means that all defenses against these attacks are up to the host.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Policies > Decryption.
Set SSL Inbound Inspection appropriately for all untrusted traffic destined for servers using SSL or TLS.
Navigate to Policies > Decryption. For each service published to the internet (or other untrusted zones), create a Policy and set the following options:

General tab: Name set to a descriptive name

Source: Source Zone set to the target zone (Internet in many cases). Source Address set to the target address space (Any for internet traffic)

Destination tab: Destination Zone should be set to the appropriate zone, or Any. Destination Address set to the target host address

Options tab: Type set to SSL Inbound Inspection

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/8826

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|12.9, CSCv7|12.10

Plugin: Palo_Alto

Control ID: 158016acb2a26c1a77950962809afe9ebb601c838a731293a86fc7027c0df06b