UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Palo Alto Networks security platform must not enable the DNS proxy unless authorized.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62561 PANW-AG-000037 SV-77051r1_rule Medium
Description
Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network. The Palo Alto Networks security platform can act as a DNS proxy and send the DNS queries on behalf of the clients. However, the use of this, or any other optional service or capability, must be authorized by the Authorizing Official.
STIG Date
Palo Alto Networks ALG Security Technical Implementation Guide 2015-11-17

Details

Check Text ( C-63365r1_chk )
View the system documentation; if the DNS Proxy capability is authorized, this is not a finding.

To check if DNS Proxy is configured:
Go to Network >> DNS Proxy
If there are entries in the pane, and DNS Proxy has not been authorized, this is a finding.
Fix Text (F-68481r1_fix)
To check if DNS Proxy is configured:
Go to Network >> DNS Proxy
If there are no entries in the pane, then this capability has not been enabled.