InformationThe Certificate used to secure Remote Access VPNs should satisfy the following criteria:
* It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
* The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
* The key length used to encrypt the certificate should be 2048 bits or more.
* The hash used to sign the certificate should be SHA-2 or better.
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionCreate a CSR and install a certificate from a public CA here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Profile