8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies

Information

Configure SSL Forward Proxy for all traffic destined to the Internet. Include all categories except financial-services and health-and-medicine.
Rationale:
Without SSL inspection, the firewall cannot apply many of its protection features against encrypted traffic. The amount of encrypted malware traffic continues to rise, and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis. As encryption on the Internet continues to grow at a rapid rate, SSL inspection is no longer optional as a practical security measure. If proper decryption is not configured, it follows that the majority of traffic is not being fully inspected for malicious content or policy violations. This is a major exposure, allowing delivery of exploits and payloads direct to user desktops.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Navigate to Policies > Decryption.
Set SSL Forward Proxy for all traffic destined to the Internet. Include all categories except financial-services and health-and-medicine.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-7, 800-53|SI-4, CSCv6|12, CSCv6|12.5, CSCv7|12, CSCv7|12.9, CSCv7|12.10

Plugin: Palo_Alto

Control ID: 95bf3b4d037aa4802988a9862f4a69936adff69349d621a872667cabd79335c5