STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-228832r557387_rule
V-228832
SRG-NET-000061-ALG-000009
PANW-AG-000015
CAT II
10
Note: These instructions assume that certificates have already been loaded on the device. Multiple decryption policies can be configured; these instructions explain the steps involved but do not provide specific details since the exact local policies are not known. The Administrator must tailor the configuration to match the site-specific requirements.
Go to Policies >> Decryption
Select "Add".
In the "Decryption Policy Rule" window, complete the required fields.
In the "Name" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" or "Source User" fields.
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" or "Destination User" fields.
In the "URL Category" tab, select which categories will be decrypted.
Select "Any" to decrypt all traffic. This is used for web traffic.
In the "Option" tab, select "Decrypt" as the Action. Select the decryption profile.
In the Type field, there are three options;
Select "SSL Forward Proxy to decrypt and inspect SSL/TLS traffic from internal users to outside networks".
Select "SSH Proxy to decrypt inbound and outbound SSH connections passing through the device".
Select "SSL Inbound Inspection to decrypt and inspect incoming SSL traffic".
Note: This decryption mode can only work if you have control on the internal server certificate to import the Key Pair on Palo Alto Networks Device.
Decrypted traffic is blocked and restricted according to the policies configured on the firewall. For each Decryption Policy, there must be a Security Policy in order to inspect and filter the decrypted traffic. Multiple security policies can be configured; these instructions explain the steps involved but do not provide specific details since the exact local policies are not known.
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "Name" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
In the "User" tab, complete the "Source User" and "HIP Profile" fields.
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields.
In the "Applications" tab, either select the "Any" check box or add the specific applications. Configured filters and groups can be selected.
In the "Actions" tab, select the desired resulting action (allow or deny). If logging of matches on the rule is required, select the "Log forwarding" profile, and select "Log at Session End".
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
If the Palo Alto Networks security platform does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS, and webmail), this is not applicable.
Go to Policies >> Decryption; note each configured decryption policy.
Go to Policies >> Security
View the configured security policies.
If there is a decryption policy that does not have a corresponding security policy, this is a finding.
The matching policy may not be obvious and it may be necessary for the Administrator to identify the corresponding security policy.
V-228832
False
PANW-AG-000015
If the Palo Alto Networks security platform does not serve as an intermediary for remote access traffic (e.g., web content filter, TLS, and webmail), this is not applicable.
Go to Policies >> Decryption; note each configured decryption policy.
Go to Policies >> Security
View the configured security policies.
If there is a decryption policy that does not have a corresponding security policy, this is a finding.
The matching policy may not be obvious and it may be necessary for the Administrator to identify the corresponding security policy.
M
4233