Decryption Profile is not following best practices-paloaltonetworks-panos

Decryption Profile is not following best practices-paloaltonetworks-panos
0

Decryption Profile is not following best practices-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if the decryption profile is not following best practices.

Remediation Steps:
Ensure Min Version is set to “TLSv1.2” AND Max Version is set to “Max” AND only secure options are enabled. Make sure MD5 and SHA1 are not enabled under “Authentication Algorithms”, 3DES and RC4 are not enabled under “Encryption Algorithms”. For more details, please check this link: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/ssl-protocol-settings-decryption-profile

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured local decryption profiles and verify the profile has the minimum recommended settings. The alarm should dump the name of the decryption profile and what need to be fixed.

Why is this important?
Due to SSL/TLS vulnerabilities, at the least we should have the minimum version set at TLS versions 1.2 and maximun set to the version available. Make sure the Key Exchange, Encryption and Authentication Algorithms are set to strict standards so that the SSL communication is not compromised by middle man or an attacker. In Encryption Algorithms, make sure not to enable 3DES and RC4 as they are weakest in the list. Similarly, in Authentication Algorithms disable MD5 and SHA1 and enable only that is stronger authentication standards.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Decryption” -> “Decryption Profile” and check each profile manually.

panos-decryption-tls-settings

name: panos-decryption-tls-settings
description: Ensure Min Version is set to "TLSv1.2" AND Max Version is set to "Max"
    AND only secure options are enabled.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    ssl-decryption-protocol-settings:
        why: "Due to SSL/TLS vulnerabilities, at the least we should have the minimum\
            \ version set at TLS versions 1.2 and maximun set to the version available.\
            \  \nMake sure the Key Exchange, Encryption and Authentication Algorithms\
            \ are set to strict standards so that the SSL communication is not compromised\
            \ by middle man or an attacker.  \nIn Encryption Algorithms, make sure\
            \ not to enable 3DES and RC4 as they are weakest in the list. \nSimilarly,\
            \ in Authentication Algorithms disable MD5 and SHA1 and enable only that\
            \ is stronger authentication standards.\n"
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured local decryption profiles and verify the profile has the minimum recommended settings. The alarm should dump the name of the decryption profile and what need to be fixed.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/profiles/decryption/entry&key=${api-key}
    parse:
        type: XML
        file: panos-decryption-profile.parser.1.xml.yaml

PanosDecryptionTlsSettingsRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosDecryptionTlsSettingsRule.scala