1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates


The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
* It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
* The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
* The key length used to encrypt the certificate should be 2048 bits or more.
* The hash used to sign the certificate should be SHA-2 or better.
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Create a CSR and install a certificate from a public CA here:
Navigate to Device > Management > Certificate Management > Certificates

Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Server Certificate

Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > General > Server Certificate
Default Value:
Not configured

See Also


Item Details


References: 800-53|SC-17, CSCv6|14.2

Plugin: Palo_Alto

Control ID: 7658e18f3b766783a97c3e606b6bef08d354035e5cdc0234d322022ea4d5cf80