1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals

Information

The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
The certificate should have a valid date. It should not have a "to" date in the past (it should not be expired), and should not have a "from" date in the future.
The key length used to encrypt the certificate should be 2048 bits or more.
The hash used to sign the certificate should be SHA-2 or better.
Rationale:
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a "Man in the Middle" attack.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Create a CSR and install a certificate from a public CA here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Profile
Impact:
Not using a trusted Certificate, issued by a trusted Public Certificate Authority means that clients establishing VPN sessions will always see an error indicating an untrusted Certificate. This means that they will have no method of validating if their VPN session is being hijacked by a "Monkey in the Middle" (MitM) attack. It also "trains" them to bypass certificate warnings for other services, making MitM attacks easier for those other services as well.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Palo_Alto

Control ID: ed678eeaa930a57d96e5272b514ab0bb0a87d32805e62f4d829b45adc1ac4395