1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates


The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
* It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
* The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
* The key length used to encrypt the certificate should be 2048 bits or more.
* The hash used to sign the certificate should be SHA-2 or better.
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Create a CSR and install a certificate from a public CA here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Profile
Default Value:
Not configured

See Also


Item Details


References: 800-53|SC-17, CSCv6|14.2

Plugin: Palo_Alto

Control ID: f9de9dc0fddc3337d3105e3c8cefa5a3214f0670caeffadd23e2855124e961e4