The Palo Alto Networks security platform must not enable the DNS proxy unless authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62561 | PANW-AG-000037 | SV-77051r1_rule | Medium |
| Description |
|---|
| Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network. The Palo Alto Networks security platform can act as a DNS proxy and send the DNS queries on behalf of the clients. However, the use of this, or any other optional service or capability, must be authorized by the Authorizing Official. |
| STIG | Date |
|---|---|
| Palo Alto Networks ALG Security Technical Implementation Guide | 2015-11-17 |
Details
| Check Text ( C-63365r1_chk ) |
|---|
| View the system documentation; if the DNS Proxy capability is authorized, this is not a finding. To check if DNS Proxy is configured: Go to Network >> DNS Proxy If there are entries in the pane, and DNS Proxy has not been authorized, this is a finding. |
| Fix Text (F-68481r1_fix) |
|---|
| To check if DNS Proxy is configured: Go to Network >> DNS Proxy If there are no entries in the pane, then this capability has not been enabled. |