Skip to content
Catalogs
XCCDF
Palo Alto Networks ALG Security Technical Implementation Guide
SRG-NET-000061-ALG-000009
The Palo Alto Networks security platform, if used to provide intermediary services for remote access communications traffic (TLS or SSL decryption), must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.
The Palo Alto Networks security platform, if used to provide intermediary services for remote access communications traffic (TLS or SSL decryption), must ensure inbound and outbound traffic is monitored for compliance with remote access security policies. An XCCDF Rule
The Palo Alto Networks security platform, if used to provide intermediary services for remote access communications traffic (TLS or SSL decryption), must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.
Medium Severity
<VulnDiscussion>Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities.
Remote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic. This requirement does not mandate the decryption and inspection of SSL/TLS; it requires that if this is performed in the device, the decrypted traffic be inspected and conform to security policies.
If SSL/TLS traffic is decrypted in the device, it must be inspected. The Palo Alto Networks security platform can be configured to decrypt and inspect SSL/TLS connections going through the device. With SSL Decryption, SSL-encrypted traffic is decrypted and App-ID and the Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking Profiles can be applied to decrypted traffic before being re-encrypted and being forwarded. This is not limited to SSL encrypted HTTP traffic (HTTPS); other protocols "wrapped" in SSL/TLS can be decrypted and inspected.
Decryption is policy-based and can be used to decrypt, inspect, and control both inbound and outbound SSL and SSH connections. Decryption policies allow the administrator to specify traffic for decryption according to destination, source, or URL category and in order to block or restrict the specified traffic according to security settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>