Disable Server Response Inspection (DSRI) enabled in security policies for Palo Alto Networks devices
Description
This policy detects whether Disable Server Response Inspection (DSRI) is enabled in security policies for Palo Alto Networks devices. Enabling DSRI disables the inspection of server responses, potentially allowing malicious content to pass through the network unchecked, thereby reducing security.
Code Example
yaml
- name: Verify tests
hosts: all
connection: local
tasks:
- name: Security_rule
paloaltonetworks.panos.panos_security_rule:
rule_name: 'Test rule'
...
- disable_server_response_inspection: trueRemediation
Palo Alto Networks
- Resource: panos_security_rule
- Attribute: disable_server_response_inspection
To mitigate this issue, ensure that the disable_server_response_inspection attribute is either set to 'false' or omitted in your panos_security_rule definitions. Disabling DSRI ensures that server responses are inspected, maintaining the efficacy of security policies.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1286 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_4 |