STIGQter: STIG Summary: Palo Alto Networks NDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jan 2020:

The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.

DISA Rule

SV-77251r1_rule

Vulnerability Number

V-62761

Group Title

SRG-APP-000391-NDM-000308

Rule Version

PANW-NM-000110

Severity

CAT II

CCI(s)

• CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.

Weight

10

Fix Recommendation

Import the DOD CA certificates and subordinate certificates for all of the certificate authorities.
Go to Device >> Certificate Management >> Certificates.
Select the Import icon at the bottom of the pane.
In the Import Certificate window, complete the required information.
Select "OK".

Create a certificate profile.
Go to Device >> Setup >> Management.
In the Authentication Settings pane, select the select the "Edit" icon (the gear symbol in the upper-right corner).
In the Authentication Settings window, complete the required information.
In the Authentication Profile field, select "None".
In the Certificate Profile field, select "New Certificate Profile". This will change the Authentication Settings window to the Certificate Profile window.
Leave the username field blank.
Leave the domain field blank.

In the Certificate Profile window, complete the required fields.
In the CA Certificates section, select "Add" to import the DOD certificate authorities.
Select the Use OCSP checkbox.
When importing the top level DOD CA Certificate, for the Default OCSP URL field, add the DOD/DISA OCSP URL.
Select "OK".
Select "OK" again.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.

Check Contents

Go to Device >> Certificate Management >> Certificates.
If no DOD CA certificates and subordinate certificates are imported, this is a finding.

Go to Device >> Setup >> Management.
In the Authentication Settings pane, if the Certificate Profile field is blank, this is a finding.

View the Certificate Profile, if it does not list the DOD CA certificates and subordinate certificates, this is a finding.

If the Use OCSP checkbox is not selected, this is a finding.

Vulnerability Number

V-62761

Documentable

False

Rule Version

PANW-NM-000110

Severity Override Guidance

Go to Device >> Certificate Management >> Certificates.
If no DOD CA certificates and subordinate certificates are imported, this is a finding.

Go to Device >> Setup >> Management.
In the Authentication Settings pane, if the Certificate Profile field is blank, this is a finding.

View the Certificate Profile, if it does not list the DOD CA certificates and subordinate certificates, this is a finding.

If the Use OCSP checkbox is not selected, this is a finding.

Check Content Reference

M

Target Key

2811

Comments