PANW-NM-000110 - The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials - 'DOD CA certificates'

Information

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.

DOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12 and as a primary component of layered protection for national security systems.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Import the DOD CA certificates and subordinate certificates for all of the certificate authorities.
Go to Device >> Certificate Management >> Certificates.
Select the Import icon at the bottom of the pane.
In the Import Certificate window, complete the required information.
Select 'OK'.

Create a certificate profile.
Go to Device >> Setup >> Management.
In the Authentication Settings pane, select the select the 'Edit' icon (the gear symbol in the upper-right corner).
In the Authentication Settings window, complete the required information.
In the Authentication Profile field, select 'None'.
In the Certificate Profile field, select 'New Certificate Profile'. This will change the Authentication Settings window to the Certificate Profile window.
Leave the username field blank.
Leave the domain field blank.

In the Certificate Profile window, complete the required fields.
In the CA Certificates section, select 'Add' to import the DOD certificate authorities.
Select the Use OCSP checkbox.
When importing the top level DOD CA Certificate, for the Default OCSP URL field, add the DOD/DISA OCSP URL.
Select 'OK'.
Select 'OK' again.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-6b., 800-53|IA-2(12), CAT|II, CCI|CCI-000366, CCI|CCI-001953, CCI|CCI-004068, Rule-ID|SV-228667r997687_rule, STIG-ID|PANW-NM-000110, STIG-Legacy|SV-77251, STIG-Legacy|V-62761, Vuln-ID|V-228667

Plugin: Palo_Alto

Control ID: 06305e8ea07b3092c27268889434f6bfd802a2175920fd152e3be374a0fff293