Detections
Analytics
8.3 Ensure that the Certificate used for Decryption is Trusted
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For SSL Forward Proxy configurations, there are classes of users that need to be considered.1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.
2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.
Rationale:
Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's 'man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Set the CA Certificate(s):Navigate to Device > Certificate Management > Certificates. Import the appropriate CA Certificates from any internal Certificate Authorities.
Alternatively, generate a self-signed certificate for an internal CA on the firewall, and then import the root certificate for that CA into the trusted CA list of target clients. In an Active Directory environment this can be facilitated using a Group Policy.
Set the Certificate Profile needed for the SSL Forward Proxy:
Navigate to Device > Certificate Management > Certificate Profile.
Set the decryption profile to include the settings described in the SSL Forward Proxy guidance in this document
Default Value:
Decryption is not enabled by default.
See Also
Item Details
Audit Name: CIS Palo Alto Firewall 10 v1.0.0 L2
References: CSCv7|12.9, CSCv7|12.10
Plugin: Palo_Alto
Control ID: df76ca68d6c84a4fc2ca334280561f02b886dc7db50204e202564dff0735003d