Decryption Profile is not following best practices-paloaltonetworks-panos
Indeni will alert if the decryption profile is not following best practices.
Ensure Min Version is set to “TLSv1.2” AND Max Version is set to “Max” AND only secure options are enabled. Make sure MD5 and SHA1 are not enabled under “Authentication Algorithms”, 3DES and RC4 are not enabled under “Encryption Algorithms”. For more details, please check this link: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-concepts/ssl-protocol-settings-decryption-profile
How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured local decryption profiles and verify the profile has the minimum recommended settings. The alarm should dump the name of the decryption profile and what need to be fixed.
Why is this important?
Due to SSL/TLS vulnerabilities, at the least we should have the minimum version set at TLS versions 1.2 and maximun set to the version available. Make sure the Key Exchange, Encryption and Authentication Algorithms are set to strict standards so that the SSL communication is not compromised by middle man or an attacker. In Encryption Algorithms, make sure not to enable 3DES and RC4 as they are weakest in the list. Similarly, in Authentication Algorithms disable MD5 and SHA1 and enable only that is stronger authentication standards.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Decryption” -> “Decryption Profile” and check each profile manually.
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-decryption-profile/panos-decryption-profile.ind.yaml
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosDecryptionTlsSettingsRule.scala