8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured

Information

Configure SSL Forward Proxy for all traffic destined to the Internet. In most organizations, including all categories except financial-services, government and health-and-medicine is recommended.

Rationale:

Without SSL inspection, the firewall cannot apply many of its protection features against encrypted traffic. The amount of encrypted malware traffic continues to rise, and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis. As encryption on the Internet continues to grow at a rapid rate, SSL inspection is no longer optional as a practical security measure. If proper decryption is not configured, it follows that the majority of traffic is not being fully inspected for malicious content or policy violations. This is a major exposure, allowing delivery of exploits and payloads direct to user desktops.

Impact:

Failure to decrypt outbound traffic allows attackers to mask attacks, data exfiltration and/or command and control (C2) traffic by simply using standard TLS encryption. Privacy concerns for your organization's users will dictate that some common categories should be exempted from inspection and decryption. Personal banking or healthcare information is almost always exempted, as are interactions with government entities. Exemptions and inclusions to decryption policies should be negotiated internally and governed by published Corporate Policies.

Solution

Navigate to Policies > Decryption.
Create a Policy for all traffic destined to the Internet. This Policy should include:

Source tab: The Source Zone and/or Source Address should include all target internal networks. Source User should include all target internal users

Destination tab: The Destination Zone should include the untrusted target zone (usually the internet). Destination Address is typically Any for an internet destination.

Service/URL Category tab: all URL Category entries should be included except financial-services, government and health-and-medicine (this list may vary depending on your organization and its policies).

Options tab: Type set to SSL Forward Proxy

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/13160

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|12.9, CSCv7|12.10

Plugin: Palo_Alto

Control ID: 428fea9dc6185bf19b822daea94170cc2dc138090ec108f2e4e4fca3e3a48421