Unverified Commit cbfa078a authored by Aki Braun's avatar Aki Braun
Browse files

Resolve Palo Alto validation-related comments



    Closes #68
    Closes #69

    Co-authored-by: default avatar@pildushg Galina Pildush <gpildush@paloaltonetworks.com>
parent 342b923e
Loading
Loading
Loading
Loading
+4 −4
Original line number Diff line number Diff line
@@ -858,7 +858,7 @@ The product shall ensure that when the connection to the VPN server is lost at t

#### 5.7.4.1 Requirement

1. **REQ-CON-04 (MI-ROUT-3)-1** The VPN client shall by default be configured to route all network traffic from the endpoint through the VPN connection, and
1. **REQ-CON-04 (MI-ROUT-3)-1** The VPN client shall by default be configured to route all validated network traffic from the endpoint through the VPN connection, and
2. **REQ-CON-04 (MI-ROUT-3)-2** the VPN client shall not offer a configuration that only tunnels traffic from specific applications (e.g., "split tunnelling" or "browser-only mode") as a default setting, and
3. **REQ-CON-04 (MI-ROUT-3)-3** the administrating user shall be clearly informed of tunnel policy before enabling it.

@@ -1160,7 +1160,7 @@ The VPN client shall not reduce system security after the end of the VPN connect
* UC-6: required
* UC-7: required

### 5.8.5 REQ-INT-05 (MI-NUTI-2) Protocol validity checks
### 5.8.5 REQ-INT-05 (MI-NUTI-2) Application protocol validity checks

#### 5.8.5.1 Requirement

@@ -1457,8 +1457,8 @@ In addition to protecting data transiting the VPN from typical attacks, it is im

#### 5.13.2.1 Requirement

1. **REQ-EMM-02 (MI-NUTI-1)-1** The VPN client and server shall be configurable to enforce granular packet filtering by application and destination address & port, and
2. **REQ-EMM-02 (MI-NUTI-1)-2** the VPN client and server shall only permit traffic explicitly authorized to transit the VPN connection.
1. **REQ-EMM-02 (MI-NUTI-1)-1** The VPN client and server shall be configurable to enforce granular packet filtering by application client or server identity, and destination address, and
2. **REQ-EMM-02 (MI-NUTI-1)-2** the VPN client and server shall only permit traffic that is validated and explicitly authorized to transit the VPN connection.

#### 5.13.2.2 Applicability

+1 −1
Original line number Diff line number Diff line
@@ -1562,7 +1562,7 @@ Prevent unauthorized and/or malicious traffic in the VPN connection.

#### 6.8.5.2 Preparation

Create packets for each protocol supported by the traffic policy engine that have invalid or malformed headers designed to bypass the traffic policy.
Create packets for each protocol supported by the traffic policy engine that have invalid or malformed packets designed to bypass the traffic policy.

#### 6.8.5.3 Activities