#TRUSTED 7f9e418a8d1ad4ef54c86c84a07b1b46ad2fac1641f6e7b502480284822d2fb5a6a1d62131e94d947ebde51946285c7effb68341e72243254ce8a4ba0950089d293c23d19077854bf96c21b0c4461a55d2b7f1c1a347e1f1eb720316df36d386a4e0af7669c4d38b35df99bb512d4ee8eec99c11d538fbe011d74927595974a9d49aff47571fe0bc39cd5046d85b1b73bdd760e95724101453b7d940934d3f34eac31691897c94ea2684ab1dab20de9e386de866bb27749b6683db4b6d43e6ceae2b0c8575deaa122daa65f3035c2d84e6fb616d678d34f92e9856911077c846161f096c7fa7c236142ac6758dde2aa12db1717f5b4107b45d3177bf782277d6b19fafb994367a8be5fb9051c141a98570fe8627e69fd7c4d98001b84ebdacb74c0c29e586ca496284567063227172226fcef02df76e45c03e37bfd71ca809dffd001eca3b4db6509edb42d6146a42d214dc92da8dd4f7b4d6278f4df38f683c80b4cef06e0f472289b89aeba00e85739796b8a90400836fa628caed71806a0b1ba52d85b74185e85c80eac04a16b6322c4d0d51f39311af9126614b02ac0138ca96ab7cb9f5d625a86b02ba10d8a21dd35b147bd49fe76e3d827d1d2bccabaa33095eabcbcb8c1010fe0438546b3326c75684f0709b18983e10756d083cb47253a3dba6bb72a620e4bc7a880eeea53b259afe2cc8a169c9717808f892122f42
#TRUST-RSA-SHA256 7c5649ad4550fbfb93fa59d3611d0e23df353a8f90dafa21bc45739f866298740b5efcbcce7bfedad6a29d8fa178e9ecfe459082943f6e821522d2143dd88656322d39bae916d80a47835d67a2a326628b9db8826565bfabd4a7e6782b36d00f7619dc9d86b3ac4c2abedd8c9dbf697c7b4a5b992fe568f2f23ce81e407698fea3b0d4bd8253f59bd55941c182ed13419d626b2a262604aa30a2b8204df53be54b970c8e922f40e5f80b9b2da04da7c2f57b043a0a4e13f628e5eb4a3ae5d0be890c8c8b3472d1ca37f3a78e3178a6952abc3629699110135c2f4e21abc4ca6860d896ff908940a0c5f1bb42a3d746ad5a993390a2cc03aa393fbdb7de6f9a9597a3b208f87ce91ec3a979b31447d4b1e741e14ba9d2c698cae57547f907a884c1d9c975c86a19ca780d3928304d51bbd3bdfcd72d7821522af45cde7e335a89a247d8857601469b0b3f6398459de03b68f8d08bf224f529fb4521fd44a0b0f009c79056b855797ce7651bc39f468260f7f9ac94f248fb49e138505ce8d1662b5df0ec21537dd7a597fcfdd40e698a9437d3ead4eea9ebcc763c8b98b278af99bb7b630b8c3a820c30ed5f9980138ea411b589bb8b3b27b646485b08230257f533a4ec061773266b30695c9a41b8c6b07c09e11fd2e7be407ddf62917a6713c5d877239fee69dd6a60505e51d4673b4b51e606b542a2c54760126f21d42cb29f
#
# This script is Copyright (C) 2004-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision: 1.0 $
# $Date: 2024/10/02 $
#
# Description : This .audit is based on the CIS Palo Alto Firewall 10 Benchmark v1.2.0
#
#
#Safeguard Alto Firewall 10 Audit obÌåÓý - v1.2.0
#
# CIS
# Palo Alto Firewall 10
# L1
# 1.2.0
# https://workbench.cisecurity.org/benchmarks/17915
#
#palo_alto
#CCE,CSCv6,CSCv7,CSCv8,LEVEL
#
#
# PLATFORM_VERSION
# 10
# The platform version for Palo Alto Firewall
# The platform version for Palo Alto Firewall - Default value is 10
# STRING
#
#
# SYSLOG_SERVER
# 10.0.0.2
# Log Server
# Host address of the sytem log server for the target to send logs to.
# HOSTNAME_IP_ADDRESS
#
#
# SYN_ALERT_RATE
# 20000
# TCP SYN Cookies Alert Rate
# When the flow exceeds the Alert rate threshold, an alarm is generated.
# INTEGER
#
#
# SYN_ACTIVATE_RATE
# 25000
# TCP SYN Cookies Activate Rate
# When the flow exceeds the Activate rate threshold, individual SYN packets are dropped randomly to restrict the flow.
# INTEGER
#
#
# SYN_MAXIMAL_RATE
# 1000000
# TCP SYN Cookies Maximal Rate
# When the flow exceeds the Maximal rate threshold, all packets are dropped.
# INTEGER
#
#
# PRIMARY_NTP_SERVER
# 10.0.0.2
# Primary Network Time Server
# Host address of the Primary NTP server. 1.6.2
# HOSTNAME_IP_ADDRESS
#
#
# SECONDARY_NTP_SERVER
# 10.0.0.3
# Secondary Network Time Server
# Host address of the Secondary NTP server. 1.6.2
# HOSTNAME_IP_ADDRESS
#
#
#
type : AUDIT_XML
description : "Check for Palo Alto version 10"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "^[\s]*@PLATFORM_VERSION@\..*"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
description : "Safeguard Alto Firewall 10 Audit obÌåÓý - v1.2.0"
info : "This audit checks the testable Level 1 guidance in the CIS Palo Alto Firewall 10 benchmark document."
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "host"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog server found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog server not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "system"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "configuration"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "user-id"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "hip match"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "ip-tag"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "1.1.1.1 Syslog logging should be configured"
info : "Syslog logging is a standard logging protocol that is widely supported. It is recommended for a level 1 deployment only, as syslog does not support encryption.
Rationale:
Sending all system logs to a remote host is recommended to provide protected, long term storage and archiving. This also places a copy of the logs in a second location, in case the primary (on the firewall) logs are compromised. Storing logs on a remote host also allows for more flexible log searches and log processing, as well as many methods of triggering events or scripts based on specific log events or combinations of events. Finally, remote logging provides many organizations with the opportunity to combine logs from disparate infrastructure in a SIEM (Security Information and Event Management) system.
Logging to an external system is also usually required by most regulatory frameworks.
Impact:
Failure to properly store and archive logs for critical infrastructure leaves an organization without the tools required to establish trends in events or activity, or to retrospectively analyze security or operational events beyond the log timespan stored on the firewall. Not having remote logs also puts many organizations outside of compliance with many regulatory frameworks. Finally, not logging to a remote host leaves organizations without recourse in the event of a compromise of logs on the primary device. It is imperative that organizations log critical infrastructure appropriately, store and archive these logs in a central location, and have a robust set of tools to analyze logs both in real time and after the fact."
solution : "Navigate to Device > Server Profiles > Syslog
Choose Add
Assign a Name to the Profile. Choose Add, and assign a server name in the Name field, add an IP address or FQDN in the Syslog Server field. Edit other fields as appropriate for your server.
Repeat if multiple Syslog destinations are required.
Navigate to Device > Log Settings
Under System, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under Configuration, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under User-ID, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under HIP Match (Host Information Profile), add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under IP-Tag, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Default Value:
By default no external logging is defined"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53r5|AU-1,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "host"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog server found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog server not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "system"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "configuration"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "user-id"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "hip match"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "ip-tag"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - syslog entry with filter setting set to 'All Logs' found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - syslog entry with filter setting set to 'All Logs' not found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
description : "1.1.1.1 Syslog logging should be configured"
info : "Syslog logging is a standard logging protocol that is widely supported. It is recommended for a level 1 deployment only, as syslog does not support encryption.
Rationale:
Sending all system logs to a remote host is recommended to provide protected, long term storage and archiving. This also places a copy of the logs in a second location, in case the primary (on the firewall) logs are compromised. Storing logs on a remote host also allows for more flexible log searches and log processing, as well as many methods of triggering events or scripts based on specific log events or combinations of events. Finally, remote logging provides many organizations with the opportunity to combine logs from disparate infrastructure in a SIEM (Security Information and Event Management) system.
Logging to an external system is also usually required by most regulatory frameworks.
Impact:
Failure to properly store and archive logs for critical infrastructure leaves an organization without the tools required to establish trends in events or activity, or to retrospectively analyze security or operational events beyond the log timespan stored on the firewall. Not having remote logs also puts many organizations outside of compliance with many regulatory frameworks. Finally, not logging to a remote host leaves organizations without recourse in the event of a compromise of logs on the primary device. It is imperative that organizations log critical infrastructure appropriately, store and archive these logs in a central location, and have a robust set of tools to analyze logs both in real time and after the fact."
solution : "Navigate to Device > Server Profiles > Syslog
Choose Add
Assign a Name to the Profile. Choose Add, and assign a server name in the Name field, add an IP address or FQDN in the Syslog Server field. Edit other fields as appropriate for your server.
Repeat if multiple Syslog destinations are required.
Navigate to Device > Log Settings
Under System, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under Configuration, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under User-ID, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under HIP Match (Host Information Profile), add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Under IP-Tag, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a Syslog Profile in the Syslog section. Ensure that at least one of the Log Settings Configuration entries has it's Filter setting at All Logs
Default Value:
By default no external logging is defined"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53r5|AU-1,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.1.2 Ensure 'Login Banner' is set"
info : "Configure a login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.
Rationale:
Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance."
solution : "Navigate to Device > Setup > Management > General Settings.
Set Login Banner as appropriate for your organization.
Default Value:
Not configured"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,800-53|PM-13,800-53r5|AT-1,800-53r5|AT-2,800-53r5|PM-13,CSCv7|17.3,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,CSF|PR.AT-2,CSF|PR.AT-4,CSF|PR.AT-5,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.RR-02,CSF2.0|GV.RR-04,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.AT-01,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,QCSC-v1|11.2,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Login Banner not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Login Banner set to ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.1.2 Ensure 'Login Banner' is set"
info : "Configure a login banner, ideally approved by the organization's legal team. This banner should, at minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the word 'welcome' or similar words of invitation.
Rationale:
Through a properly stated login banner, the risk of unintentional access to the device by unauthorized users is reduced. Should legal action take place against a person accessing the device without authorization, the login banner greatly diminishes a defendant's claim of ignorance."
solution : "Navigate to Device > Setup > Management > General Settings.
Set Login Banner as appropriate for your organization.
Default Value:
Not configured"
reference : "800-171|3.2.1,800-171|3.2.2,800-53|AT-1,800-53|AT-2,800-53|PM-13,800-53r5|AT-1,800-53r5|AT-2,800-53r5|PM-13,CSCv7|17.3,CSCv8|14.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.AT-1,CSF|PR.AT-2,CSF|PR.AT-4,CSF|PR.AT-5,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.RR-02,CSF2.0|GV.RR-04,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.AT-01,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ITSG-33|AT-1,ITSG-33|AT-2,LEVEL|1A,NESA|M1.2.2,NESA|M1.3.6,NESA|M3.4.1,NESA|T3.4.1,NIAv2|AM13,QCSC-v1|11.2,SWIFT-CSCv1|7.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Login Banner not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Login Banner set to ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.1.3 Ensure 'Enable Log on High DP Load' is enabled"
info : "Enable the option 'Enable Log on High DP Load' feature. When this option is selected, a system log entry is created when the device's packet processing load reaches 100% utilization.
Rationale:
When the device's packet processing load reaches 100%, a degradation in the availability of services accessed through the device can occur. Logging this event can help with troubleshooting system performance.
Impact:
Sustained attacks, especially volumetric DOS and DDOS attacks will often affect CPU utilization. This setting will generate an event that is easily monitored for and alerted on. While setting CPU utilization watermarks in a Network Management System is a standard practice, this setting does not depend on even having an NMS, it doesn't require anything other than standard logging to implement."
solution : "Navigate to Device > Setup > Management > Logging and Reporting Settings > Log Export and Reporting.
Set the Enable Log on High DP Load box to checked.
Default Value:
Not enabled"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53r5|AU-1,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Enable Log on High DP Load is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Enable Log on High DP Load is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.1.3 Ensure 'Enable Log on High DP Load' is enabled"
info : "Enable the option 'Enable Log on High DP Load' feature. When this option is selected, a system log entry is created when the device's packet processing load reaches 100% utilization.
Rationale:
When the device's packet processing load reaches 100%, a degradation in the availability of services accessed through the device can occur. Logging this event can help with troubleshooting system performance.
Impact:
Sustained attacks, especially volumetric DOS and DDOS attacks will often affect CPU utilization. This setting will generate an event that is easily monitored for and alerted on. While setting CPU utilization watermarks in a Network Management System is a standard practice, this setting does not depend on even having an NMS, it doesn't require anything other than standard logging to implement."
solution : "Navigate to Device > Setup > Management > Logging and Reporting Settings > Log Export and Reporting.
Set the Enable Log on High DP Load box to checked.
Default Value:
Not enabled"
reference : "800-171|3.3.1,800-171|3.3.2,800-53|AU-1,800-53|AU-2,800-53r5|AU-1,800-53r5|AU-2,CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv8|8.1,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.8,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Enable Log on High DP Load is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Enable Log on High DP Load is enabled."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management"
info : "Permit only the necessary IP addresses to be used to manage the device.
Rationale:
Management access to the device should be restricted to the IP addresses or subnets used by firewall administrators. Permitting management access from other IP addresses increases the risk of unauthorized access through password guessing, stolen credentials, or other means.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Device > Setup > Interfaces > Management.
Set Permitted IP Addresses to only those necessary for device management for the SSH and HTTPS protocols. If no profile exists, create one that has these addresses set.
Default Value:
Not enabled (all addresses that can reach the interface are permitted)"
reference : "800-171|3.1.1,800-53|AC-2(1),800-53|AC-3,800-53r5|AC-2(1),800-53r5|AC-3,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|11.6,CSCv7|11.7,CSCv8|6.7,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Permitted IPs not found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Permitted IP - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "^Manual Review Required$"
severity : MEDIUM
type : AUDIT_XML
description : "1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management"
info : "Permit only the necessary IP addresses to be used to manage the device.
Rationale:
Management access to the device should be restricted to the IP addresses or subnets used by firewall administrators. Permitting management access from other IP addresses increases the risk of unauthorized access through password guessing, stolen credentials, or other means.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Device > Setup > Interfaces > Management.
Set Permitted IP Addresses to only those necessary for device management for the SSH and HTTPS protocols. If no profile exists, create one that has these addresses set.
Default Value:
Not enabled (all addresses that can reach the interface are permitted)"
reference : "800-171|3.1.1,800-53|AC-2(1),800-53|AC-3,800-53r5|AC-2(1),800-53r5|AC-3,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|11.6,CSCv7|11.7,CSCv8|6.7,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Permitted IP - "
xsl_stmt : ""
regex : ".*"
expect : "^Manual Review Required$"
severity : MEDIUM
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "SSH"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - SSH - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - SSH - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - No SSH config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "HTTPS"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - HTTPS - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - HTTPS - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - No HTTPS config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "SNMP"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - SNMP - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - SNMP - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - No SNMP config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled"
info : "For all management profiles, only the IP addresses required for device management should be specified.
Rationale:
If a Permitted IP Addresses list is either not specified or is too broad, an attacker may gain the ability to attempt management access from unintended locations, such as the Internet. The 'Ensure 'Security Policy' denying any/all traffic exists at the bottom of the security policies ruleset' recommendation in this benchmark can provide additional protection by requiring a security policy specifically allowing device management access."
solution : "Navigate to Network > Network Profiles > Interface Management.
In each profile, for each of the target protocols (SNMP, HTTPS, SSH), set Permitted IP Addresses to only include those necessary for device management. If no profile exists, create one that has these options set.
Default Value:
Not enabled"
reference : "800-171|3.1.1,800-53|AC-2(1),800-53|AC-3,800-53r5|AC-2(1),800-53r5|AC-3,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|11.6,CSCv7|11.7,CSCv8|6.7,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "SSH"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass SSH - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail SSH - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - No SSH config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
type : AUDIT_XML
description : "HTTPS"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass HTTPS - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail HTTPS - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - No HTTPS config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
type : AUDIT_XML
description : "SNMP"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass SNMP - Permitted IP found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail SNMP - Permitted IP not found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - No SNMP config found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
description : "1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled"
info : "For all management profiles, only the IP addresses required for device management should be specified.
Rationale:
If a Permitted IP Addresses list is either not specified or is too broad, an attacker may gain the ability to attempt management access from unintended locations, such as the Internet. The 'Ensure 'Security Policy' denying any/all traffic exists at the bottom of the security policies ruleset' recommendation in this benchmark can provide additional protection by requiring a security policy specifically allowing device management access."
solution : "Navigate to Network > Network Profiles > Interface Management.
In each profile, for each of the target protocols (SNMP, HTTPS, SSH), set Permitted IP Addresses to only include those necessary for device management. If no profile exists, create one that has these options set.
Default Value:
Not enabled"
reference : "800-171|3.1.1,800-53|AC-2(1),800-53|AC-3,800-53r5|AC-2(1),800-53r5|AC-3,CN-L3|7.1.3.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|11.6,CSCv7|11.7,CSCv8|6.7,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-2(1),ITSG-33|AC-3,LEVEL|1A,NESA|T4.2.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM3,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,NIAv2|SS29,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|31.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.2.3 Ensure HTTP and Telnet options are disabled for the management interface"
info : "HTTP and Telnet options should not be enabled for device management.
Rationale:
Management access over cleartext services such as HTTP or Telnet could result in a compromise of administrator credentials and other sensitive information related to device management. Theft of either administrative credentials or session data is easily accomplished with a 'Man in the Middle' attack."
solution : "Navigate to Device > Setup > Interfaces > Management.
Set the HTTP and Telnet boxes to unchecked.
Default Value:
Not set. (HTTP and Telnet are disabled by default)"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv7|14.4,CSCv7|16.5,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - HTTP and Telnet are both disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Telnet is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - HTTP is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.2.3 Ensure HTTP and Telnet options are disabled for the management interface"
info : "HTTP and Telnet options should not be enabled for device management.
Rationale:
Management access over cleartext services such as HTTP or Telnet could result in a compromise of administrator credentials and other sensitive information related to device management. Theft of either administrative credentials or session data is easily accomplished with a 'Man in the Middle' attack."
solution : "Navigate to Device > Setup > Interfaces > Management.
Set the HTTP and Telnet boxes to unchecked.
Default Value:
Not set. (HTTP and Telnet are disabled by default)"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv7|14.4,CSCv7|16.5,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - HTTP and Telnet are both disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Telnet is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - HTTP is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "HTTP"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - HTTP management option found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - No HTTP management option found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Telnet"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Telnet management option found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - No Telnet management option found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles"
info : "HTTP and Telnet options should not be enabled for device management.
Rationale:
Management access over cleartext services such as HTTP or Telnet could result in a compromise of administrator credentials and other sensitive information related to device management."
solution : "Navigate to Network > Network Profiles > Interface Management.
For each Profile, set the HTTP and Telnet boxes to unchecked."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv7|14.4,CSCv7|16.5,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "HTTP"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - HTTP management option found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - No HTTP management option found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
type : AUDIT_XML
description : "Telnet"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Telnet management option found, Profile - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - No Telnet management option found in Interface Management Profiles."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
description : "1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles"
info : "HTTP and Telnet options should not be enabled for device management.
Rationale:
Management access over cleartext services such as HTTP or Telnet could result in a compromise of administrator credentials and other sensitive information related to device management."
solution : "Navigate to Network > Network Profiles > Interface Management.
For each Profile, set the HTTP and Telnet boxes to unchecked."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|9.2,CSCv7|14.4,CSCv7|16.5,CSCv8|4.8,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.3.1 Ensure 'Minimum Password Complexity' is enabled"
info : "This checks all new passwords to ensure that they meet basic requirements for strong passwords.
Rationale:
Password complexity recommendations are derived from the USGCB (United States Government Configuration Baseline), Common Weakness Enumeration, and benchmarks published by the CIS (Center for Internet Security). Password complexity adds entropy to a password, in comparison to a simple password of the same length. A complex password is more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. However, making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex.
Impact:
Simple passwords make an attacker's job very easy. There is a reasonably short list of commonly used admin passwords for network infrastructure, not enforcing password lengths and complexity can lend itself to making an attacker's brute force attack successful."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Enabled to be checked
Set that the various password settings to values that are appropriate to your organization. It is suggested that there at least be some special characters enforced, and that a minimum length be set. Ensure that non-zero values are set for Minimum Uppercase, Lowercase and Special Characters. 'Block Username Inclusion' should be enabled.
Operationally, dictionary words should be avoided for all passwords - passphrases are a much better alternative.
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Minimum Password Complexity is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Password Complexity is disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.2 Ensure 'Minimum Length' is greater than or equal to 14"
info : "This determines the least number of characters that make up a password for a user account.
Rationale:
A longer password is much more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. Making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex. Passphrases are a commonly used recommendation, to make longer passwords more palatable to end users. Administrative staff however generally use 'password safe' applications, so a long and complex password is more easily implemented for most infrastructure administrative interfaces.
Impact:
Longer passwords are much more difficult to attack. This is true of attacks against the administrative interfaces themselves, or of decryption attacks against captured hashes. A longer password will almost always have a more positive impact than a shorter but more complex password."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Minimum Length to greater than or equal to 14
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.2,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Password minimum length is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Password minimum length is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Password minimum length is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one English uppercase character (A through Z).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Uppercase Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Uppercase Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Uppercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Minimum Uppercase Letters is 1 ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one English lowercase character (a through z).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Lowercase Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Lowercase Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Lowercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Minimum Lowercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one base 10 digit (0 through 9).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Numeric Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Numeric Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Numeric Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Minimum Numeric Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one non-alphabetic character (for example, !, $, #, %).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Special Characters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Special Characters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Minimum Special Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Minimum Special Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days"
info : "This defines how long a user can use a password before it expires.
Rationale:
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.
Impact:
Failure to change administrative passwords can result in a slow 'creep' of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.
Administrative credentials should not be shared across multiple devices. In a NOC/SOC situation, it's important to not share administrative credentials between operators (names accounts should be used), and in particular administrative credentials should never be shared across different customer infrastructures."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90
Default Value:
Not enabled."
reference : "800-171|3.1.1,800-53|AC-2(3),800-53r5|AC-2(3),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv7|4.4,CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),LEVEL|1A,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Required Password Change Period (days) is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Required Password Change Period (days) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Required Password Change Period (days) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3"
info : "This checks all new passwords to ensure that they differ by at least three characters from the previous password.
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks.
Impact:
This prevents the use of passwords that fall into a predictable pattern. Especially in situations that involve staff turnover, having a pattern to password changes should be avoided."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set New Password Differs By Characters to 3 or more
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - New Password Differs by Characters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - New Password Differs by Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - New Password Differs by Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords"
info : "This determines the number of unique passwords that have to be most recently used for a user account before a previous password can be reused.
Rationale:
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. While current guidance emphasizes password length above frequent password changes, not enforcing password re-use guidance adds the temptation of using a small pool of passwords, which can make an attacker's job easier across an entire infrastructure."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Prevent Password Reuse Limit to greater than or equal to 24
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Prevent password reuse limit is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Prevent password reuse limit is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Prevent password reuse limit is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.10 Ensure 'Password Profiles' do not exist"
info : "Password profiles that are weaker than the recommended minimum password complexity settings must not exist.
Rationale:
As password profiles override any 'Minimum Password Complexity' settings defined in the device, they generally should not exist. If these password profiles do exist, they should enforce stronger password policies than what is set in the 'Minimum Password Complexity' settings."
solution : "Navigate to Device > Password Profiles.
Ensure Password Profiles weaker than the recommended minimum password complexity settings do not exist.
Default Value:
Not configured"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Password Profiles are configured"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Password Profiles are not configured"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.3.1 Ensure 'Minimum Password Complexity' is enabled"
info : "This checks all new passwords to ensure that they meet basic requirements for strong passwords.
Rationale:
Password complexity recommendations are derived from the USGCB (United States Government Configuration Baseline), Common Weakness Enumeration, and benchmarks published by the CIS (Center for Internet Security). Password complexity adds entropy to a password, in comparison to a simple password of the same length. A complex password is more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. However, making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex.
Impact:
Simple passwords make an attacker's job very easy. There is a reasonably short list of commonly used admin passwords for network infrastructure, not enforcing password lengths and complexity can lend itself to making an attacker's brute force attack successful."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Enabled to be checked
Set that the various password settings to values that are appropriate to your organization. It is suggested that there at least be some special characters enforced, and that a minimum length be set. Ensure that non-zero values are set for Minimum Uppercase, Lowercase and Special Characters. 'Block Username Inclusion' should be enabled.
Operationally, dictionary words should be avoided for all passwords - passphrases are a much better alternative.
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Minimum Password Complexity is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Password Complexity is disabled"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.2 Ensure 'Minimum Length' is greater than or equal to 14"
info : "This determines the least number of characters that make up a password for a user account.
Rationale:
A longer password is much more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. Making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex. Passphrases are a commonly used recommendation, to make longer passwords more palatable to end users. Administrative staff however generally use 'password safe' applications, so a long and complex password is more easily implemented for most infrastructure administrative interfaces.
Impact:
Longer passwords are much more difficult to attack. This is true of attacks against the administrative interfaces themselves, or of decryption attacks against captured hashes. A longer password will almost always have a more positive impact than a shorter but more complex password."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Minimum Length to greater than or equal to 14
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.2,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Password minimum length is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Password minimum length is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Password minimum length is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one English uppercase character (A through Z).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Uppercase Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Uppercase Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Uppercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Minimum Uppercase Letters is 1 ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one English lowercase character (a through z).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Lowercase Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Lowercase Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Lowercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Minimum Lowercase Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one base 10 digit (0 through 9).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Numeric Letters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Numeric Letters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Numeric Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Minimum Numeric Letters is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1"
info : "This checks all new passwords to ensure that they contain at least one non-alphabetic character (for example, !, $, #, %).
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set Minimum Special Characters to greater than or equal to 1
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Special Characters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Minimum Special Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Minimum Special Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days"
info : "This defines how long a user can use a password before it expires.
Rationale:
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user and guessing the password, or by the user sharing the password.
Impact:
Failure to change administrative passwords can result in a slow 'creep' of people who have access. Especially in a situation with high staff turnover (for instance, in a NOC or SOC situation), administrative passwords need to be changed frequently.
Administrative credentials should not be shared across multiple devices. In a NOC/SOC situation, it's important to not share administrative credentials between operators (names accounts should be used), and in particular administrative credentials should never be shared across different customer infrastructures."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Required Password Change Period (days) to less than or equal to 90
Default Value:
Not enabled."
reference : "800-171|3.1.1,800-53|AC-2(3),800-53r5|AC-2(3),CN-L3|7.1.3.2(e),CN-L3|8.1.4.2(c),CSCv7|4.4,CSCv8|5.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.6,ITSG-33|AC-2(3),LEVEL|1A,NIAv2|AM26,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Required Password Change Period (days) is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Required Password Change Period (days) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Required Password Change Period (days) is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3"
info : "This checks all new passwords to ensure that they differ by at least three characters from the previous password.
Rationale:
This is one of several settings that, when taken together, ensure that passwords are sufficiently complex as to thwart brute force and dictionary attacks.
Impact:
This prevents the use of passwords that fall into a predictable pattern. Especially in situations that involve staff turnover, having a pattern to password changes should be avoided."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity
Set New Password Differs By Characters to 3 or more
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - New Password Differs by Characters is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - New Password Differs by Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - New Password Differs by Characters is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords"
info : "This determines the number of unique passwords that have to be most recently used for a user account before a previous password can be reused.
Rationale:
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. While current guidance emphasizes password length above frequent password changes, not enforcing password re-use guidance adds the temptation of using a small pool of passwords, which can make an attacker's job easier across an entire infrastructure."
solution : "Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Prevent Password Reuse Limit to greater than or equal to 24
Default Value:
Not enabled."
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Prevent password reuse limit is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Prevent password reuse limit is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Prevent password reuse limit is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "1.3.10 Ensure 'Password Profiles' do not exist"
info : "Password profiles that are weaker than the recommended minimum password complexity settings must not exist.
Rationale:
As password profiles override any 'Minimum Password Complexity' settings defined in the device, they generally should not exist. If these password profiles do exist, they should enforce stronger password policies than what is set in the 'Minimum Password Complexity' settings."
solution : "Navigate to Device > Password Profiles.
Ensure Password Profiles weaker than the recommended minimum password complexity settings do not exist.
Default Value:
Not configured"
reference : "800-171|3.5.2,800-53|IA-5(1),800-53r5|IA-5(1),CSCv7|4.4,CSCv8|5.2,CSF|PR.AC-1,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),ITSG-33|IA-5(1),LEVEL|1A,NESA|T5.2.3,QCSC-v1|5.2.2,QCSC-v1|13.2,SWIFT-CSCv1|4.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Password Profiles are configured"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Password Profiles are not configured"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management"
info : "Set the Idle Timeout value for device management to 10 minutes or less to automatically close inactive sessions.
Rationale:
An unattended computer with an open administrative session to the device could allow an unauthorized user access to the firewall's management interface."
solution : "Navigate to Device > Setup > Management > Authentication Settings.
Set Idle Timeout to less than or equal to 15.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Idle Timeout (min) is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Idle Timeout (min) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Idle Timeout (min) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Lockout Time"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Authentication profile: - Lockout Time: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Authentication profile: - Lockout Time: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Authentication Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "^Failed"
type : AUDIT_XML
description : "Failed Attempts"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Authentication profile: - Fail attempts: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Authentication profile: - Fail attempts: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Authentication Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "^Failed"
description : "1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured"
info : "Configure values for Failed Login Attempts and Account Lockout Time set to organization-defined values (for example, 3 failed attempts and a 15 minute lockout time). Do not set Failed Attempts and Lockout Time in the Authentication Settings section; any Failed Attempts or Lockout Time settings within the selected Authentication Profile do not apply in the Authentication Settings section.
Rationale:
Without a lockout limit, an attacker can continuously guess administrators' passwords. From the other point of view, if lockout settings are configured in the Authentication Settings section it may be possible for an attacker to continuously lock out all administrative accounts from accessing the device. This potential situation indicates the importance of using named administrative accounts, instead of the default, single shared 'admin' account."
solution : "Navigate to Device > Authentication Profile.
Set Failed Attempts to the non-zero organization-defined value.
Set Lockout Time to the non-zero organization-defined value.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "1.4.1 Ensure 'Idle timeout' is less than or equal to 15 minutes for device management"
info : "Set the Idle Timeout value for device management to 15 minutes or less to automatically close inactive sessions.
Rationale:
An unattended computer with an open administrative session to the device could allow an unauthorized user access to the firewall's management interface."
solution : "Navigate to Device > Setup > Management > Authentication Settings.
Set Idle Timeout to less than or equal to 10.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Idle Timeout (min) is not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Idle Timeout (min) is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Idle Timeout (min) is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Lockout Time"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Authentication profile '', Lockout Time ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Authentication profile '', Lockout Time ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Authentication Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Failed Attempts"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed authentication profile: - Failed attempts: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed authentication profile: - Failed attempts: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Authentication Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
description : "1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured"
info : "Configure values for Failed Login Attempts and Account Lockout Time set to organization-defined values (for example, 3 failed attempts and a 15 minute lockout time). Do not set Failed Attempts and Lockout Time in the Authentication Settings section; any Failed Attempts or Lockout Time settings within the selected Authentication Profile do not apply in the Authentication Settings section.
Rationale:
Without a lockout limit, an attacker can continuously guess administrators' passwords. From the other point of view, if lockout settings are configured in the Authentication Settings section it may be possible for an attacker to continuously lock out all administrative accounts from accessing the device. This potential situation indicates the importance of using named administrative accounts, instead of the default, single shared 'admin' account."
solution : "Navigate to Device > Authentication Profile.
Set Failed Attempts to the non-zero organization-defined value.
Set Lockout Time to the non-zero organization-defined value.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-171|3.1.10,800-171|3.1.11,800-53|AC-2(5),800-53|AC-11,800-53|AC-11(1),800-53|AC-12,800-53r5|AC-2(5),800-53r5|AC-11,800-53r5|AC-11(1),800-53r5|AC-12,CN-L3|7.1.2.2(d),CN-L3|7.1.3.2(d),CN-L3|7.1.3.7(b),CN-L3|8.1.4.1(b),CSCv7|16.11,CSCv8|4.3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(iii),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-2(5),ITSG-33|AC-11,ITSG-33|AC-11(1),ITSG-33|AC-12,LEVEL|1A,NIAv2|AM23c,NIAv2|AM23d,NIAv2|AM28,NIAv2|NS5j,NIAv2|NS49,NIAv2|SS14e,PCI-DSSv3.2.1|8.1.8,PCI-DSSv4.0|8.2.8,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,TBA-FIISB|36.2.1,TBA-FIISB|37.1.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.5.1 Ensure 'V3' is selected for SNMP polling"
info : "For SNMP polling, only SNMPv3 should be used.
Rationale:
SNMPv3 utilizes AES-128 encryption, message integrity, user authorization, and device authentication security features. SNMPv2c does not provide these security features. If an SNMPv2c community string is intercepted or otherwise obtained, an attacker could gain read access to the firewall. Note that SNMP write access is not possible.
Impact:
Any clear-text administrative protocol (such as SNMPv2) can expose valuable information to any attacker that is in a position to eavesdrop on that protocol."
solution : "Navigate to Device > Setup > Operations > Miscellaneous > SNMP Setup
Select V3.
In order to be usable, the User and View sections of this dialog should also be completed. These settings need to match the settings in the organization's NMS (Network Management System)
Default Value:
Not configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - SNMP v3 is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - SNMP v3 is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.5.1 Ensure 'V3' is selected for SNMP polling"
info : "For SNMP polling, only SNMPv3 should be used.
Rationale:
SNMPv3 utilizes AES-128 encryption, message integrity, user authorization, and device authentication security features. SNMPv2c does not provide these security features. If an SNMPv2c community string is intercepted or otherwise obtained, an attacker could gain read access to the firewall. Note that SNMP write access is not possible.
Impact:
Any clear-text administrative protocol (such as SNMPv2) can expose valuable information to any attacker that is in a position to eavesdrop on that protocol."
solution : "Navigate to Device > Setup > Operations > Miscellaneous > SNMP Setup
Select V3.
In order to be usable, the User and View sections of this dialog should also be completed. These settings need to match the settings in the organization's NMS (Network Management System)
Default Value:
Not configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|9.2,CSCv7|14.4,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - SNMP v3 is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - SNMP v3 is enabled"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.6.1 Ensure 'Verify Update Server Identity' is enabled"
info : "This setting determines whether or not the identity of the update server must be verified before performing an update session. Note that if an SSL Forward Proxy is configured to intercept the update session, this option may need to be disabled (because the SSL Certificate will not match).
Rationale:
Verifying the update server identity before package download ensures the packages originate from a trusted source. Without this, it is possible to receive and install an update from a malicious source.
Impact:
This setting protects the device from an 'evilgrade' attack, where a successful DNS attack can redirect the firewall to an attacker-controlled update server, which can then serve a modified update."
solution : "Navigate to Device > Setup > Services > Services.
Set the Verify Update Server Identity box to checked.
Default Value:
Not configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Verify Update Server Identity is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Verify Update Server Identity is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "1.6.1 Ensure 'Verify Update Server Identity' is enabled"
info : "This setting determines whether or not the identity of the update server must be verified before performing an update session. Note that if an SSL Forward Proxy is configured to intercept the update session, this option may need to be disabled (because the SSL Certificate will not match).
Rationale:
Verifying the update server identity before package download ensures the packages originate from a trusted source. Without this, it is possible to receive and install an update from a malicious source.
Impact:
This setting protects the device from an 'evilgrade' attack, where a successful DNS attack can redirect the firewall to an attacker-controlled update server, which can then serve a modified update."
solution : "Navigate to Device > Setup > Services > Services.
Set the Verify Update Server Identity box to checked.
Default Value:
Not configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Verify Update Server Identity is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Verify Update Server Identity is not enabled"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "1.6.2 Ensure redundant NTP servers are configured appropriately"
info : "These settings enable use of primary and secondary NTP servers to provide redundancy in case of a failure involving the primary NTP server.
Rationale:
NTP enables the device to maintain an accurate time and date when receiving updates from a reliable NTP server. Accurate timestamps are critical when correlating events with other systems, troubleshooting, or performing investigative work. Logs and certain cryptographic functions, such as those utilizing certificates, rely on accurate time and date parameters. In addition, rules referencing a Schedule object will not function as intended if the device's time and date are incorrect.
For additional security, authenticated NTP can be utilized. If Symmetric Key authentication is selected, only SHA1 should be used, as MD5 is considered severely compromised.
Most organizations will maintain a pair of internal NTP servers for all internal time services. These servers will either be self-contained atomic clocks, or will collect time from a known reliable source (often GPS or a well-known internet server pool will be used)."
solution : "Navigate to Device > Setup > Services > Services.
Set Primary NTP Server Address appropriately.
Set Secondary NTP Server Address appropriately.
Default Value:
Not configured"
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Primary and Secondary NTP Servers are set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Primary NTP Server not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Secondary NTP Server not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Ensure primary-ntp-server is configured"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Primary NTP Server is set to ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Primary NTP Server not set correctly"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Ensure secondary-ntp-server is configured"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Secondary NTP Server is set to ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Secondary NTP Server not set correctly"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
description : "1.6.2 Ensure redundant NTP servers are configured appropriately"
info : "These settings enable use of primary and secondary NTP servers to provide redundancy in case of a failure involving the primary NTP server.
Rationale:
NTP enables the device to maintain an accurate time and date when receiving updates from a reliable NTP server. Accurate timestamps are critical when correlating events with other systems, troubleshooting, or performing investigative work. Logs and certain cryptographic functions, such as those utilizing certificates, rely on accurate time and date parameters. In addition, rules referencing a Schedule object will not function as intended if the device's time and date are incorrect.
For additional security, authenticated NTP can be utilized. If Symmetric Key authentication is selected, only SHA1 should be used, as MD5 is considered severely compromised.
Most organizations will maintain a pair of internal NTP servers for all internal time services. These servers will either be self-contained atomic clocks, or will collect time from a known reliable source (often GPS or a well-known internet server pool will be used)."
solution : "Navigate to Device > Setup > Services > Services.
Set Primary NTP Server Address appropriately.
Set Secondary NTP Server Address appropriately.
Default Value:
Not configured"
reference : "800-171|3.3.6,800-171|3.3.7,800-53|AU-7,800-53|AU-8,800-53r5|AU-7,800-53r5|AU-8,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(b),CSCv7|6.1,CSCv8|8.4,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-7,ITSG-33|AU-8,LEVEL|1A,NESA|T3.6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|37.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "GlobalProtect Gateways"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " GlobalProtect Gateway name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No GlobalProtect Gateways found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "Certificates"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Certificate name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No certificates found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "GlobalProtect Portals"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " GlobalProtect Portal name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No GlobalProtect Portals found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
description : "1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid"
info : "The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
The certificate should have a valid date. It should not have a 'to' date in the past (it should not be expired), and should not have a 'from' date in the future.
The key length used to encrypt the certificate should be 2048 bits or more.
The hash used to sign the certificate should be SHA-2 or better.
When the Certificate is applied, the TLS version should be 1.1 or higher (1.2 is recommended)
Rationale:
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a 'Man in the Middle' attack. This means that self-signed or invalid certificates should never be used for VPN connections.
Impact:
Not using a trusted Certificate, issued by a trusted Public Certificate Authority means that clients establishing VPN sessions will always see an error indicating an untrusted Certificate. This means that they will have no method of validating if their VPN session is being hijacked by a 'Monkey in the Middle' (MitM) attack. It also 'trains' them to bypass certificate warnings for other services, making MitM attacks easier for those other services as well.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Create a CSR and install a certificate from a public CA (Certificate Authority) here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Service Profile
Configure the Service Profile to use the correct certificate
Ensure that the Minimum TLS version is set to 1.1 or 1.2 (1.2 is recommended).
Default Value:
Not configured"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|14.4,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,LEVEL|2M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "GlobalProtect Gateways"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "GlobalProtect Gateway name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No GlobalProtect Gateways found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "Certificates"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Certificate name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No certificates found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "GlobalProtect Portals"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "GlobalProtect Portal name: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No GlobalProtect Portals found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
description : "1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid"
info : "The Certificate used to secure Remote Access VPNs should satisfy the following criteria:
It should be a valid certificate from a trusted source. In almost cases this means a trusted Public Certificate Authority, as in most cases remote access VPN users will not have access to any Private Certificate Authorities for Certificate validation.
The certificate should have a valid date. It should not have a 'to' date in the past (it should not be expired), and should not have a 'from' date in the future.
The key length used to encrypt the certificate should be 2048 bits or more.
The hash used to sign the certificate should be SHA-2 or better.
When the Certificate is applied, the TLS version should be 1.1 or higher (1.2 is recommended)
Rationale:
If presented with a certificate error, the end user in most cases will not be able to tell if their session is using a self-signed or expired certificate, or if their session is being eavesdropped on or injected into by a 'Man in the Middle' attack. This means that self-signed or invalid certificates should never be used for VPN connections.
Impact:
Not using a trusted Certificate, issued by a trusted Public Certificate Authority means that clients establishing VPN sessions will always see an error indicating an untrusted Certificate. This means that they will have no method of validating if their VPN session is being hijacked by a 'Monkey in the Middle' (MitM) attack. It also 'trains' them to bypass certificate warnings for other services, making MitM attacks easier for those other services as well.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Create a CSR and install a certificate from a public CA (Certificate Authority) here:
Navigate to Device > Certificate Management > Certificates
Apply a valid certificate to the HTTPS portal:
Navigate to Network > GlobalProtect > Portals > Portal Configuration > Authentication > SSL/TLS Profile
Apply a valid certificate to the GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways > Authentication > SSL/TLS Service Profile
Configure the Service Profile to use the correct certificate
Ensure that the Minimum TLS version is set to 1.1 or 1.2 (1.2 is recommended).
Default Value:
Not configured"
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|14.4,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1M,LEVEL|2M,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "2.3 Ensure that User-ID is only enabled for internal trusted interfaces"
info : "Only enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing (or any user-id identification) on an untrusted interface. The exception to this is identification of remote-access VPN users, who are identified as they connect.
Rationale:
PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in theft of the password hash for the account used in WMI probing.
Impact:
If WMI probing is enabled without limiting the scope, internet hosts that are sources or destinations of traffic will be probed, and the password hash of the configured Domain Admin account can be captured by an outside attacker on such a host.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Network > Network Profiles > Interface Management.
Set User-ID to be checked only for interfaces that are both internal and trusted; uncheck it for all other interfaces.
Default Value:
By default WMI probing and all User-ID functions are disabled."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-1,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-1,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv7|9.2,CSCv7|16.13,CSCv8|8.1,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Profile - has 'User ID' service enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Profile - does not have 'User ID' service enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "2.3 Ensure that User-ID is only enabled for internal trusted interfaces"
info : "Only enable the User-ID option for interfaces that are both internal and trusted. There is rarely a legitimate need to allow WMI probing (or any user-id identification) on an untrusted interface. The exception to this is identification of remote-access VPN users, who are identified as they connect.
Rationale:
PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in theft of the password hash for the account used in WMI probing.
Impact:
If WMI probing is enabled without limiting the scope, internet hosts that are sources or destinations of traffic will be probed, and the password hash of the configured Domain Admin account can be captured by an outside attacker on such a host.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Network > Network Profiles > Interface Management.
Set User-ID to be checked only for interfaces that are both internal and trusted; uncheck it for all other interfaces.
Default Value:
By default WMI probing and all User-ID functions are disabled."
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-1,800-53|AU-2,800-53|AU-7,800-53|AU-12,800-53r5|AU-1,800-53r5|AU-2,800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(c),CN-L3|8.1.4.3(a),CSCv7|6.2,CSCv7|9.2,CSCv7|16.13,CSCv8|8.1,CSCv8|8.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|ID.GV-1,CSF|ID.GV-3,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|GV.OC-03,CSF2.0|GV.OV-01,CSF2.0|GV.PO-01,CSF2.0|GV.PO-02,CSF2.0|GV.SC-03,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-1,ITSG-33|AU-2,ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.8,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Profile - has 'User ID' service enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Profile - does not have 'User ID' service enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No Interface Management Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "Check that User ID is enabled on any profile"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "enabled"
expect : "enabled"
type : AUDIT_XML
description : "2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled"
info : "If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network.
Rationale:
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.
Impact:
Not restricting the networks subject to User Identification means that the administrative credentials (userid and password hash) used for this task will transit untrusted networks, or be sent to untrusted hosts. Capturing these credentials exposes them to offline cracking attacks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude. Note that any value in the trusted networks list implies that all other networks are untrusted.
Default Value:
Not configured"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.DS-11,CSF2.0|PR.IR-01,CSF2.0|PR.IR-03,CSF2.0|PR.IR-04,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Review - Name: , Discovery: , Network: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Review - No Include/Exclude Network config found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "^Manual Review Required$"
severity : MEDIUM
description : "2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled"
info : "If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network.
Rationale:
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.
Impact:
Not restricting the networks subject to User Identification means that the administrative credentials (userid and password hash) used for this task will transit untrusted networks, or be sent to untrusted hosts. Capturing these credentials exposes them to offline cracking attacks."
solution : "Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude. Note that any value in the trusted networks list implies that all other networks are untrusted.
Default Value:
Not configured"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.DS-11,CSF2.0|PR.IR-01,CSF2.0|PR.IR-03,CSF2.0|PR.IR-04,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
type : AUDIT_XML
description : "Check that User ID is enabled on any profile"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "enabled"
expect : "enabled"
type : AUDIT_XML
description : "2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled"
info : "If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network.
Rationale:
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.
Impact:
Not restricting the networks subject to User Identification means that the administrative credentials (userid and password hash) used for this task will transit untrusted networks, or be sent to untrusted hosts. Capturing these credentials exposes them to offline cracking attacks.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude. Note that any value in the trusted networks list implies that all other networks are untrusted.
Default Value:
Not configured"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.DS-11,CSF2.0|PR.IR-01,CSF2.0|PR.IR-03,CSF2.0|PR.IR-04,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Review - Name: , Discovery: , Network: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Review - No Include/Exclude Network config found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "^Manual Review Required$"
severity : MEDIUM
description : "2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled"
info : "If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing or other User identification on an untrusted network.
Rationale:
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.
Impact:
Not restricting the networks subject to User Identification means that the administrative credentials (userid and password hash) used for this task will transit untrusted networks, or be sent to untrusted hosts. Capturing these credentials exposes them to offline cracking attacks."
solution : "Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude. Note that any value in the trusted networks list implies that all other networks are untrusted.
Default Value:
Not configured"
reference : "800-171|3.4.6,800-171|3.4.7,800-171|3.13.1,800-171|3.13.2,800-171|3.13.5,800-53|CM-7,800-53|CP-6,800-53|CP-7,800-53|PL-8,800-53|PM-7,800-53|SA-8,800-53|SC-7,800-53r5|CM-7,800-53r5|CP-6,800-53r5|CP-7,800-53r5|PL-8,800-53r5|PM-7,800-53r5|SA-8,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|9.2,CSCv8|12.2,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.IP-1,CSF|PR.IP-2,CSF|PR.IP-4,CSF|PR.PT-3,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|ID.AM-08,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.DS-11,CSF2.0|PR.IR-01,CSF2.0|PR.IR-03,CSF2.0|PR.IR-04,CSF2.0|PR.PS-01,CSF2.0|PR.PS-06,GDPR|32.1.b,GDPR|32.1.c,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|CM-7,ITSG-33|CP-6,ITSG-33|CP-7,ITSG-33|SA-8,ITSG-33|SA-8a.,ITSG-33|SC-7,LEVEL|1A,NESA|T2.2.4,NESA|T3.4.1,NESA|T4.5.3,NESA|T4.5.4,NESA|T7.6.5,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,NIAv2|SS3,NIAv2|SS15a,NIAv2|VL2,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|2.2.2,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,SWIFT-CSCv1|2.3,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
description : "2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled"
info : "If the integrated (on-device) User-ID Agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Distributed COM Users group, and Domain Users group. If the Windows User-ID agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Server Operators group, and Domain Users group.
Rationale:
As a principle of least privilege, user accounts should have only minimum necessary permissions. If an attacker compromises a User-ID service account with domain admin rights, the organization is at far greater risk than if the service account were only granted minimum rights.
Impact:
Using accounts with full administrative privileges when those rights are not required is always a bad idea. This is particularly true for service accounts of this type, which in many organizations do not see strong passwords or frequent password changes. In addition, service passwords are stored in the Windows Registry, and are recoverable with the user of appropriate malicious tools. The principal of least privilege means that any compromised accounts of this type have less value to an attacker, and expose fewer assets based on their rights.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Navigate to Active Directory Users and Computers.
Set the service account for the User-ID agent so that it is only a member of the Event Log Readers, Distributed COM Users, and Domain Users (for the integrated, on-device User-ID agent) or the Event Log Readers, Server Operators, and Domain Users groups (for the Windows User-ID agent.)
Default Value:
Not configured"
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|4.3,CSCv8|5.4,CSF|PR.AC-4,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1M,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
description : "2.6 Ensure that the User-ID service account does not have interactive logon rights"
info : "Restrict the User-ID service account from interactively logging on to systems in the Active Directory domain.
Rationale:
In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Directory domain of the organization. This reduces the impact of a User-ID service account compromise.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Navigate to Active Directory Group Policies.
Set Group Policies to restrict the interactive logon privilege for the User-ID service account.
or
Navigate to Active Directory Managed Service Accounts.
Set Managed Service Accounts to restrict the interactive logon privilege for the User-ID service account.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-53|AC-2,800-53r5|AC-2,CN-L3|7.1.3.2(d),CSCv7|4,CSCv8|5.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.1,ITSG-33|AC-2,LEVEL|1A,NIAv2|AM28,NIAv2|NS5j,NIAv2|SS14e,QCSC-v1|5.2.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
description : "2.7 Ensure remote access capabilities for the User-ID service account are forbidden."
info : "Restrict the User-ID service account's ability to gain remote access into the organization. This capability could be made available through a variety of technologies, such as VPN, Citrix GoToMyPC, or TeamViewer. Remote services that integrate authentication with the organization's Active Directory may unintentionally allow the User-ID service account to gain remote access.
Rationale:
In the event of a compromised User-ID service account, restricting the account's ability to remotely access resources within the organization's internal network reduces the impact of a service account compromise.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance."
solution : "Remove this account from all groups that might grant remote access to the network, or to any network services or hosts. Remediation is operating-system dependent. For instance, in Windows Active Directory, this account should be removed from any group that grants the account access to VPN or Wireless access. In addition, domain administrative accounts by default have remote desktop (RDP) access to all domain member workstations - this should be explicitly denied for this account.
Default Value:
Not configured"
reference : "800-171|3.1.1,800-171|3.1.5,800-171|3.3.8,800-171|3.3.9,800-53|AC-2,800-53|AC-3,800-53|AC-6,800-53|AC-6(1),800-53|AC-6(7),800-53|AU-9(4),800-53r5|AC-2,800-53r5|AC-5,800-53r5|AC-6,800-53r5|AC-6(1),800-53r5|AC-6(7),800-53r5|AU-9(4),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(d),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|4,CSCv8|6.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.5,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.4,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.12.4.2,ITSG-33|AC-2,ITSG-33|AC-3,ITSG-33|AC-6,ITSG-33|AC-6(1),ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1M,NESA|M1.1.3,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|AM31,NIAv2|GS3,NIAv2|GS4,NIAv2|GS8c,NIAv2|NS5j,NIAv2|SM5,NIAv2|SM6,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,NIAv2|VL3b,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5,PCI-DSSv3.2.1|10.5.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,PCI-DSSv4.0|10.3.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones"
info : "Create security policies to deny Palo Alto User-ID traffic originating from the interface configured for the UID Agent service that are destined to any untrusted zone.
Rationale:
If User-ID and WMI probes are sent to untrusted zones, the risk of privileged information disclosure exists. The information disclosed can include the User-ID Agent service account name, domain name, and encrypted password hashes sent in User-ID and WMI probes. To prevent this exposure, msrpc traffic originating from the firewall to untrusted networks should be explicitly denied. This security policy should be in effect even for environments not currently using WMI probing to help guard against possible probe misconfigurations in the future.
This setting is a 'fail safe' to prevent exposure of this information if any of the other WMI User control settings are misconfigured."
solution : "Navigate to Device > Setup > Services > Services Features > Service Route Configuration > Customize.
Click on the protocol in use (IPv4 and/or IPv6).
Click UID Agent.
Click on the address object for the UID Agent's IP address.
Set SOURCE/NAME to 'Deny msrpc to untrusted'.
Set SOURCE/ZONE to 'INSIDE'.
Set SOURCE/Address to the Address object for the UID Agent.
Set DESTINATION/ZONE to 'GUEST' and 'OUTSIDE'.
Set DESTINATION/Address to 'any'.
Set DESTINATION/Application to 'msrpc'.
Set DESTINATION/Service to 'application-default'.
Set DESTINATION/Action to 'Block' (red circle with diagonal line)."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|9.2,CSCv8|5.4,CSF|PR.AC-4,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security profile '' uses action '' for 'MSRPC'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Security profile '' uses action '' for 'MSRPC'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Profiles have an MSRPC application type selected."
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones"
info : "Create security policies to deny Palo Alto User-ID traffic originating from the interface configured for the UID Agent service that are destined to any untrusted zone.
Rationale:
If User-ID and WMI probes are sent to untrusted zones, the risk of privileged information disclosure exists. The information disclosed can include the User-ID Agent service account name, domain name, and encrypted password hashes sent in User-ID and WMI probes. To prevent this exposure, msrpc traffic originating from the firewall to untrusted networks should be explicitly denied. This security policy should be in effect even for environments not currently using WMI probing to help guard against possible probe misconfigurations in the future.
This setting is a 'fail safe' to prevent exposure of this information if any of the other WMI User control settings are misconfigured."
solution : "Navigate to Device > Setup > Services > Services Features > Service Route Configuration > Customize.
Click on the protocol in use (IPv4 and/or IPv6).
Click UID Agent.
Click on the address object for the UID Agent's IP address.
Set SOURCE/NAME to 'Deny msrpc to untrusted'.
Set SOURCE/ZONE to 'INSIDE'.
Set SOURCE/Address to the Address object for the UID Agent.
Set DESTINATION/ZONE to 'GUEST' and 'OUTSIDE'.
Set DESTINATION/Address to 'any'.
Set DESTINATION/Application to 'msrpc'.
Set DESTINATION/Service to 'application-default'.
Set DESTINATION/Action to 'Block' (red circle with diagonal line)."
reference : "800-171|3.1.5,800-171|3.1.6,800-53|AC-6(2),800-53|AC-6(5),800-53r5|AC-6(2),800-53r5|AC-6(5),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.10.6(a),CSCv7|9.2,CSCv8|5.4,CSF|PR.AC-4,CSF2.0|PR.AA-05,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.9.2.3,ITSG-33|AC-6(2),ITSG-33|AC-6(5),LEVEL|1A,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.6.1,NIAv2|AM1,NIAv2|AM23f,NIAv2|AM32,NIAv2|AM33,NIAv2|SS13c,NIAv2|SS15c,NIAv2|VL3a,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|5.2.2,QCSC-v1|6.2,SWIFT-CSCv1|1.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security profile '' uses action '' for 'MSRPC'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security profile '' uses action '' for 'MSRPC'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Profiles have an MSRPC application type selected."
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "3.1 Ensure a fully-synchronized High Availability peer is configured"
info : "Ensure a High Availability peer is fully synchronized and in a passive or active state.
Rationale:
To ensure availability of both the firewall and the resources it protects, a High Availability peer is required. In the event a single firewall fails, or when maintenance such as a software update is required, the HA peer can be used to automatically fail over session states and maintain overall availability
Impact:
Not configuring High Availability (HA) correctly directly impacts the Availability of the system. With HA in place, standard maintenance such as OS updates, network and power cabling can be accomplished with no outage or a minimum impact."
solution : "Navigate to Device > High Availability > HA Communications.
Click HA Communications. Click Data Link (HA2). Select the correct interface. Select the desired protocol (IPv4 or IPv6). Select the correct Transport. Set the Enable Session Synchronization box to be checked.
Choose Save Configuration.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability 'Enable Session Synchronization' is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Enable Session Synchronization' is disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Path Monitoring Failure Condition"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Path Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability 'Path Monitoring Failure Condition' is default or 'any'."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability Path Monitoring is not used."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Link Monitoring Failure Condition"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Link Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability 'Link Monitoring Failure Condition' is default or 'any'."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability Link Monitoring is not used."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring"
info : "Configure Link Monitoring and/or Path Monitoring under High Availability options. If Link Monitoring is utilized, all links critical to traffic flow should be monitored.
Rationale:
If Link or Path Monitoring is not enabled, the standby router will not automatically take over as active if a critical link fails on the active firewall. Services through the firewall could become unavailable as a result.
Impact:
Not configuring High Availability (HA) correctly directly impacts the Availability of the system. With HA in place, standard maintenance such as OS updates, network and power cabling can be accomplished with no outage or a minimum impact.
Without Link and Path monitoring in particular, failover will only occur when the primary device fails completely. Link and path monitoring permits failover if a critical interface loses link (either due to cabling or an upstream switch failover), or if a route or path fails (indicating an upstream issue that affects local Layer 3)."
solution : "To set Link Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Link Monitoring.
Set the correct interfaces to the Link Group and Group Failure Conditions.
Click Link Monitoring.
Set Failure Condition to Any.
Check Enabled button.
To set Path Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Path Monitoring.
Set Option correctly.
Set Failure Condition to Any.
Set Name, IP Address, Failure Condition correctly.
Set Default setting to Any.
Check Enabled button.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Passive Link State"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability 'Passive Link State' is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Passive Link State' is not set."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Passive Link State' is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Election Setings"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - High Availability 'Election Settings: Preemptive' is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - High Availability 'Election Settings: Preemptive' is disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately"
info : "Set the Passive Link State to auto, and uncheck the Preemptive option to disable it.
Rationale:
Simultaneously enabling the 'Preemptive' option and setting the 'Passive Link State' option to 'Shutdown' could cause a 'preemptive loop' if Link and Path Monitoring are both configured. This will negatively impact the availability of the firewall and network services, should a monitored failure occur.
Impact:
Incorrectly configuring this setting will adversely affect availability, rather than positively affect it."
solution : "To set Active/Passive Settings correctly:
Navigate to Device > High Availability > General > Active/Passive Settings.
Set Passive Link State to auto.
To set Election Settings correctly:
Navigate to Device > High Availability > Election Settings.
Set Preemptive to be disabled.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "3.1 Ensure a fully-synchronized High Availability peer is configured"
info : "Ensure a High Availability peer is fully synchronized and in a passive or active state.
Rationale:
To ensure availability of both the firewall and the resources it protects, a High Availability peer is required. In the event a single firewall fails, or when maintenance such as a software update is required, the HA peer can be used to automatically fail over session states and maintain overall availability
Impact:
Not configuring High Availability (HA) correctly directly impacts the Availability of the system. With HA in place, standard maintenance such as OS updates, network and power cabling can be accomplished with no outage or a minimum impact."
solution : "Navigate to Device > High Availability > HA Communications.
Click HA Communications. Click Data Link (HA2). Select the correct interface. Select the desired protocol (IPv4 or IPv6). Select the correct Transport. Set the Enable Session Synchronization box to be checked.
Choose Save Configuration.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability 'Enable Session Synchronization' is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Enable Session Synchronization' is disabled."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Path Monitoring Failure Condition"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Path Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability 'Path Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability Path Monitoring is not used."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Link Monitoring Failure Condition"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Link Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability 'Link Monitoring Failure Condition' is ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability Link Monitoring is not used."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
description : "3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring"
info : "Configure Link Monitoring and/or Path Monitoring under High Availability options. If Link Monitoring is utilized, all links critical to traffic flow should be monitored.
Rationale:
If Link or Path Monitoring is not enabled, the standby router will not automatically take over as active if a critical link fails on the active firewall. Services through the firewall could become unavailable as a result.
Impact:
Not configuring High Availability (HA) correctly directly impacts the Availability of the system. With HA in place, standard maintenance such as OS updates, network and power cabling can be accomplished with no outage or a minimum impact.
Without Link and Path monitoring in particular, failover will only occur when the primary device fails completely. Link and path monitoring permits failover if a critical interface loses link (either due to cabling or an upstream switch failover), or if a route or path fails (indicating an upstream issue that affects local Layer 3)."
solution : "To set Link Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Link Monitoring.
Set the correct interfaces to the Link Group and Group Failure Conditions.
Click Link Monitoring.
Set Failure Condition to Any.
Check Enabled button.
To set Path Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Path Monitoring.
Set Option correctly.
Set Failure Condition to Any.
Set Name, IP Address, Failure Condition correctly.
Set Default setting to Any.
Check Enabled button.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Passive Link State"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability 'Passive Link State' is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Passive Link State' is not set."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Passive Link State' is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Election Setings"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - High Availability 'Election Settings: Preemptive' is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - High Availability 'Election Settings: Preemptive' is disabled."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
description : "3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately"
info : "Set the Passive Link State to auto, and uncheck the Preemptive option to disable it.
Rationale:
Simultaneously enabling the 'Preemptive' option and setting the 'Passive Link State' option to 'Shutdown' could cause a 'preemptive loop' if Link and Path Monitoring are both configured. This will negatively impact the availability of the firewall and network services, should a monitored failure occur.
Impact:
Incorrectly configuring this setting will adversely affect availability, rather than positively affect it."
solution : "To set Active/Passive Settings correctly:
Navigate to Device > High Availability > General > Active/Passive Settings.
Set Passive Link State to auto.
To set Election Settings correctly:
Navigate to Device > High Availability > Election Settings.
Set Preemptive to be disabled.
Default Value:
Not Configured"
reference : "800-53|SI-13(5),800-53r5|SI-13(5),CSF2.0|PR.IR-03,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-13(5),LEVEL|1A,TBA-FIISB|39.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly"
info : "Set Antivirus Update Schedule to download and install updates hourly.
Rationale:
New antivirus definitions may be released at any time. With an hourly update schedule, the firewall can ensure threats with new definitions are quickly mitigated. A daily update schedule could leave an organization vulnerable to a known virus for nearly 24 hours, in a worst-case scenario. Setting an appropriate threshold value reduces the risk of a bad definition file negatively affecting traffic."
solution : "Navigate to Device > Dynamic Updates > Antivirus Update Schedule.
Set Action to Download and Install.
Set Recurrence to Hourly.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Anti-Virus schedule is set to 'hourly' and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Anti-Virus schedule is not set to 'hourly' and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals"
info : "Set the Applications and Threats Update Schedule to download and install updates at daily or shorter intervals.
Rationale:
New Applications and Threats file versions may be released at any time. With a frequent update schedule, the firewall can ensure threats with new signatures are quickly mitigated, and the latest application signatures are applied."
solution : "Navigate to Device > Dynamic Updates > Application and Threats Update Schedule.
Set Action to Download and Install.
Set Recurrence to Daily, Hourly or Every 30 Minutes
Default Value:
This setting is by default set to Weekly."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Applications and Threats schedule is set to 'daily', 'hourly', or 'Every 30 minutes', and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Applications and Threats schedule is not set to 'daily', 'hourly', or 'Every 30 minutes', and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly"
info : "Set Antivirus Update Schedule to download and install updates hourly.
Rationale:
New antivirus definitions may be released at any time. With an hourly update schedule, the firewall can ensure threats with new definitions are quickly mitigated. A daily update schedule could leave an organization vulnerable to a known virus for nearly 24 hours, in a worst-case scenario. Setting an appropriate threshold value reduces the risk of a bad definition file negatively affecting traffic."
solution : "Navigate to Device > Dynamic Updates > Antivirus Update Schedule.
Set Action to Download and Install.
Set Recurrence to Hourly.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Anti-Virus schedule is set to 'hourly' and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Anti-Virus schedule is not set to 'hourly' and/or 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals"
info : "Set the Applications and Threats Update Schedule to download and install updates at daily or shorter intervals.
Rationale:
New Applications and Threats file versions may be released at any time. With a frequent update schedule, the firewall can ensure threats with new signatures are quickly mitigated, and the latest application signatures are applied."
solution : "Navigate to Device > Dynamic Updates > Application and Threats Update Schedule.
Set Action to Download and Install.
Set Recurrence to Daily, Hourly or Every 30 Minutes
Default Value:
This setting is by default set to Weekly."
reference : "800-171|3.11.2,800-171|3.11.3,800-171|3.14.1,800-53|RA-5,800-53|SI-2,800-53|SI-2(2),800-53r5|RA-5,800-53r5|RA-7,800-53r5|SI-2,800-53r5|SI-2(2),CN-L3|8.1.4.4(e),CN-L3|8.1.10.5(a),CN-L3|8.1.10.5(b),CN-L3|8.5.4.1(b),CN-L3|8.5.4.1(d),CN-L3|8.5.4.1(e),CSCv7|3.4,CSCv7|3.5,CSCv8|7.3,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,CSF2.0|PR.PS-02,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,ITSG-33|SI-2,ITSG-33|SI-2(2),LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.6.2,NESA|T7.7.1,NIAv2|PR9,PCI-DSSv3.2.1|6.1,PCI-DSSv3.2.1|6.2,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,PCI-DSSv4.0|6.3.3,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Applications and Threats schedule is set to 'daily', 'hourly', or 'Every 30 minutes', and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Applications and Threats schedule is not set to 'daily', 'hourly', or 'Every 30 minutes', and 'download and install'"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "5.1 Ensure that WildFire file size upload limits are maximized"
info : "The default file size limits on the firewall are designed to include the majority of malware in the wild (which is smaller than the default size limits) and to exclude large files that are very unlikely to be malicious and that can impact WildFire file-forwarding capacity.
Rationale:
Because the firewall has a specific capacity reserved to forward files for WildFire analysis, forwarding high numbers of large files can cause the firewall to skip forwarding of some files. This condition occurs when the maximum file size limits are configured for a file type that is traversing the firewall at a high rate. In this case, a potentially malicious file might not get forwarded for WildFire analysis. Consider this possible condition if you would like to increase the size limit for files other than PEs beyond their default size limit.
Impact:
Using larger file filtering can cause the system to skip files in the event multiple larger files are sent."
solution : "Navigate to Device > Setup > WildFire.
Click the General Settings edit icon.
Set the maximum size for each file type are larger than the defaults, to a size that is as large enough to account for 'large' files, but not large enough to affect performance of the hardware.
In PAN-OS 9.x and higher, the default file sizes for WildFire are:
pe (Portable Executable) - 16MB
apk (Android Application)- 10MB
pdf (Portable Document Format) - 3072KB
ms-office (Microsoft Office) - 16384KB
jar (Packaged Java class file) - 5MB
flash (Adobe Flash) - 5MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 10MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 20KB
In PAN-OS 9.x and higher, the maximum file sizes for Wildfire are:
pe (Portable Executable) - 50MB
apk (Android Application)- 50MB
pdf (Portable Document Format) - 51200KB
ms-office (Microsoft Office) - 51200KB
jar (Packaged Java class file) - 20MB
flash (Adobe Flash) - 10MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 50MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 4096KB
Default Value:
In PAN-OS 9.x, the default file sizes for WildFire are:
pe (Portable Executable) - 16MB
apk (Android Application)- 10MB
pdf (Portable Document Format) - 3072KB
ms-office (Microsoft Office) - 16384KB
jar (Packaged Java class file) - 5MB
flash (Adobe Flash) - 5MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 10MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 20KB"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - pe is greater than or equal to 16: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - pe is less than 16: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - apk is greater than or equal to 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - apk is less than 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - pdf is greater than or equal to 3072: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - pdf is less than 3072: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - ms-office is greater than or equal to 16384: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - ms-office is less than 16384: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - jar is greater than or equal to 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - jar is less than 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - flash is greater than or equal to 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - flash is less than 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - MacOSX is greater than or equal to 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - MacOSX is less than 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - archive is greater than or equal to 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - archive is less than 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - linux is greater than or equal to 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - linux is less than 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - script is greater than or equal to 20: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - script is less than 20: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Wildfire file limit sizes set to default"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : " Failed"
type : AUDIT_XML
description : "5.2 Ensure a WildFire Analysis profile is enabled for all security policies"
info : "Ensure that all files traversing the firewall are inspected by WildFire by setting a Wildfire file blocking profile on all security policies.
Rationale:
Traffic matching security policies that do not include a WildFire file blocking profile will not utilize WildFire for file analysis. Wildfire analysis is one of the key security measures available on this platform. Without Wildfire analysis enabled, inbound malware can only be analyzed by signature - which industry wide is roughly 40-60% effective. In a targeted attack, the success of signature-based-only analysis drops even further."
solution : "To Set obÌåÓý Blocking Profile:
Navigate to Objects > Security Profiles > WildFire Analysis Profile.
Create a WildFire profile that has 'Application Any', 'obÌåÓý Types Any', and 'Direction Both'
To Set WildFire Analysis Rules:
Navigate to Policies > Security.
For each Security Policy Rule where the action is 'Allow', Navigate to Actions > Profile Setting > WildFire Analysis and set a WildFire Analysis profile.
Group Profiles can also be used. To take this approach:
Navigate to Objects > Security Profile Groups. Create a Security Profile Group, and ensure that (among other settings) the Wildfire Analysis Profile is set to the created profile.
Navigate to Policies > Security. For each Security Policy Rule where the action is 'Allow', Navigate to Actions > Profile Setting. Modify the Profile Type to Group, and set the Group Profile to the created Security Profile Group.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Security policy with action 'allow': "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - WildFire Profile set: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0\">"
xsl_stmt : " Passed - Group with WildFire set: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Group does not have WildFire set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - WildFire Profile not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Policies found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "5.3 Ensure forwarding of decrypted content to WildFire is enabled"
info : "Allow the firewall to forward decrypted content to WildFire. Note that SSL Forward-Proxy must also be enabled and configured for this setting to take effect on inside-to-outside traffic flows.
Rationale:
As encrypted Internet traffic continues to proliferate, WildFire becomes less effective unless it is allowed to act on decrypted content. For example, if a user downloads a malicious pdf over SSL, WildFire can only provide analysis if 1) the session is decrypted by the firewall and 2) forwarding of decrypted content is enabled. In today's internet, roughly 70-80% of all user traffic is encrypted. If Wildfire is not configured to analyze encrypted content, the effectiveness of Wildfire is drastically reduced."
solution : "Navigate to Device > Setup > Content-ID > Content-ID Settings.
Set Allow forwarding of decrypted content to be checked.
Note that SSL Forward Proxy must be configured for this setting to be effective.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53|SI-16,800-53r5|SI-3,800-53r5|SI-16,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv7|12.9,CSCv7|12.10,CSCv8|10.1,CSCv8|10.5,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,ITSG-33|SI-16,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - 'Allow forwarding of decrypted content' is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - 'Allow forwarding of decrypted content' is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "5.4 Ensure all WildFire session information settings are enabled"
info : "Enable all options under Session Information Settings for WildFire.
Rationale:
Permitting the firewall to send all of this information to WildFire creates more detailed reports, thereby making the process of tracking down potentially infected devices more efficient. This could prevent an infected system from further infecting the environment. Environments with security policies restricting sending this data to the WildFire cloud can instead utilize an on-premises WildFire appliance. In addition, risk can be analyzed in the context of the destination host and user account, either during analysis or during incident response."
solution : "Navigate to Device > Setup > WildFire > Session Information Settings.
Set every option to be enabled.
Default Value:
All Session Information Settings are enabled by default. These include:
Source IP
Source port
Destination IP
Destination port
Virtual System
Application
User
URL
obÌåÓý name
Email sender
Email recipient
Email subject"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|6.2,CSCv7|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Source IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Source IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Email Subject"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Email Subject"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Email Recipient"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Email Recipient"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Email Sender"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Email Sender"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - obÌåÓý name"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - obÌåÓý name"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - URL"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - URL"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Application"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Application"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - User"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - User"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Virtual System"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Virtual System"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Destination Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Destination Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Destination IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Destination IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Source Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Source Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - All 'WildFire Session Information Settings' appear to be enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Wildfire enabled by default"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "5.5 Ensure alerts are enabled for malicious files detected by WildFire"
info : "Configure WildFire to send an alert when a malicious or greyware file is detected. This alert could be sent by whichever means is preferable, including email, SNMP trap, or syslog message.
Alternatively, configure the WildFire cloud to generate alerts for malicious files. The cloud can generate alerts in addition to or instead of the local WildFire implementation. Note that the destination email address of alerts configured in the WildFire cloud portal is tied to the logged in account, and cannot be modified. Also, new systems added to the WildFire cloud portal will not be automatically set to email alerts.
Rationale:
WildFire analyzes files that have already been downloaded and possibly executed. A WildFire verdict of malicious indicates that a computer could already be infected. In addition, because WildFire only analyzes files it has not already seen that were not flagged by the firewall's antivirus filter, files deemed malicious by WildFire are more likely to evade detection by desktop antivirus products."
solution : "From GUI, configure some combination of the following Server Profiles:
Configure the Email Server:
Select Device > Server Profiles > Email
Click Add
Enter a name for the Profile.
Select the virtual system from the Location drop down menu (if applicable)
Click Add
Configure the Syslog Server:
Select Device > Server Profiles > Syslog > Add
Enter Name, Display Name, Syslog Server, Transport, Port, Format, Facility
Click OK
Click Commit to save the configuration
Configure the SMTP Server:
Select Device > Server Profiles > Email
Select Add, Name, Display Name, From, To, Additional Recipients, Gateway IP or Hostname
Click OK
Click Commit to save the configuration
Navigate to Objects, Log Forwarding
Choose Add, set the log type to 'wildfire', add the filter '(verdict neq benign)', then add log destinations for SNMP, Syslog, Email or HTTP as required.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|6.2,CSCv7|6.5,CSCv7|8.3,CSCv7|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Log Forwarding Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0) or
(count(send-syslog/member) > 0) or
(count(send-email/member) > 0))\">"
xsl_stmt : " Passed - matches all criteria"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Profile Match List '' does not match all criteria"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Log Forwarding profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Passed"
type : AUDIT_XML
description : "5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time"
info : "Set the WildFire update schedule to download and install updates in real-time.
Rationale:
WildFire definitions may contain signatures to block immediate, active threats to the environment. With updates in real-time, the firewall can ensure threats with new definitions are quickly mitigated."
solution : "Navigate to Device > Dynamic Updates > WildFire Update Schedule.
Set Recurrence is set to Real-time.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|3.4,CSCv7|3.5,CSCv8|10.2,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - WildFire Update Schedule is set for realtime."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - WildFire Update schedule not set appropriately."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "5.1 Ensure that WildFire file size upload limits are maximized"
info : "The default file size limits on the firewall are designed to include the majority of malware in the wild (which is smaller than the default size limits) and to exclude large files that are very unlikely to be malicious and that can impact WildFire file-forwarding capacity.
Rationale:
Because the firewall has a specific capacity reserved to forward files for WildFire analysis, forwarding high numbers of large files can cause the firewall to skip forwarding of some files. This condition occurs when the maximum file size limits are configured for a file type that is traversing the firewall at a high rate. In this case, a potentially malicious file might not get forwarded for WildFire analysis. Consider this possible condition if you would like to increase the size limit for files other than PEs beyond their default size limit.
Impact:
Using larger file filtering can cause the system to skip files in the event multiple larger files are sent."
solution : "Navigate to Device > Setup > WildFire.
Click the General Settings edit icon.
Set the maximum size for each file type are larger than the defaults, to a size that is as large enough to account for 'large' files, but not large enough to affect performance of the hardware.
In PAN-OS 9.x and higher, the default file sizes for WildFire are:
pe (Portable Executable) - 16MB
apk (Android Application)- 10MB
pdf (Portable Document Format) - 3072KB
ms-office (Microsoft Office) - 16384KB
jar (Packaged Java class file) - 5MB
flash (Adobe Flash) - 5MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 10MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 20KB
In PAN-OS 9.x and higher, the maximum file sizes for Wildfire are:
pe (Portable Executable) - 50MB
apk (Android Application)- 50MB
pdf (Portable Document Format) - 51200KB
ms-office (Microsoft Office) - 51200KB
jar (Packaged Java class file) - 20MB
flash (Adobe Flash) - 10MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 50MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 4096KB
Default Value:
In PAN-OS 9.x, the default file sizes for WildFire are:
pe (Portable Executable) - 16MB
apk (Android Application)- 10MB
pdf (Portable Document Format) - 3072KB
ms-office (Microsoft Office) - 16384KB
jar (Packaged Java class file) - 5MB
flash (Adobe Flash) - 5MB
MacOSX (DMG/MAC-APP/MACH-O PKG files) - 10MB
archive (RAR and 7z files) - 50MB
linux (ELF files) - 50MB
script (JScript, VBScript, PowerShell, and Shell Script)- 20KB"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - pe is greater than or equal to 16: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - pe is less than 16: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - apk is greater than or equal to 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - apk is less than 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - pdf is greater than or equal to 3072: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - pdf is less than 3072: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - ms-office is greater than or equal to 16384: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - ms-office is less than 16384: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - jar is greater than or equal to 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - jar is less than 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - flash is greater than or equal to 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - flash is less than 5: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - MacOSX is greater than or equal to 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - MacOSX is less than 10: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - archive is greater than or equal to 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - archive is less than 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - linux is greater than or equal to 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - linux is less than 50: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - script is greater than or equal to 20: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - script is less than 20: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Wildfire file limit sizes set to default"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "5.2 Ensure a WildFire Analysis profile is enabled for all security policies"
info : "Ensure that all files traversing the firewall are inspected by WildFire by setting a Wildfire file blocking profile on all security policies.
Rationale:
Traffic matching security policies that do not include a WildFire file blocking profile will not utilize WildFire for file analysis. Wildfire analysis is one of the key security measures available on this platform. Without Wildfire analysis enabled, inbound malware can only be analyzed by signature - which industry wide is roughly 40-60% effective. In a targeted attack, the success of signature-based-only analysis drops even further."
solution : "To Set obÌåÓý Blocking Profile:
Navigate to Objects > Security Profiles > WildFire Analysis Profile.
Create a WildFire profile that has 'Application Any', 'obÌåÓý Types Any', and 'Direction Both'
To Set WildFire Analysis Rules:
Navigate to Policies > Security.
For each Security Policy Rule where the action is 'Allow', Navigate to Actions > Profile Setting > WildFire Analysis and set a WildFire Analysis profile.
Group Profiles can also be used. To take this approach:
Navigate to Objects > Security Profile Groups. Create a Security Profile Group, and ensure that (among other settings) the Wildfire Analysis Profile is set to the created profile.
Navigate to Policies > Security. For each Security Policy Rule where the action is 'Allow', Navigate to Actions > Profile Setting. Modify the Profile Type to Group, and set the Group Profile to the created Security Profile Group.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Security policy with action 'allow': "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - WildFire Profile set: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0\">"
xsl_stmt : " Passed - Group with WildFire set: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Group does not have WildFire set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - WildFire Profile not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Policies found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "5.3 Ensure forwarding of decrypted content to WildFire is enabled"
info : "Allow the firewall to forward decrypted content to WildFire. Note that SSL Forward-Proxy must also be enabled and configured for this setting to take effect on inside-to-outside traffic flows.
Rationale:
As encrypted Internet traffic continues to proliferate, WildFire becomes less effective unless it is allowed to act on decrypted content. For example, if a user downloads a malicious pdf over SSL, WildFire can only provide analysis if 1) the session is decrypted by the firewall and 2) forwarding of decrypted content is enabled. In today's internet, roughly 70-80% of all user traffic is encrypted. If Wildfire is not configured to analyze encrypted content, the effectiveness of Wildfire is drastically reduced."
solution : "Navigate to Device > Setup > Content-ID > Content-ID Settings.
Set Allow forwarding of decrypted content to be checked.
Note that SSL Forward Proxy must be configured for this setting to be effective.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53|SI-16,800-53r5|SI-3,800-53r5|SI-16,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv7|12.9,CSCv7|12.10,CSCv8|10.1,CSCv8|10.5,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,ITSG-33|SI-16,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - 'Allow forwarding of decrypted content' is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - 'Allow forwarding of decrypted content' is not enabled"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "5.4 Ensure all WildFire session information settings are enabled"
info : "Enable all options under Session Information Settings for WildFire.
Rationale:
Permitting the firewall to send all of this information to WildFire creates more detailed reports, thereby making the process of tracking down potentially infected devices more efficient. This could prevent an infected system from further infecting the environment. Environments with security policies restricting sending this data to the WildFire cloud can instead utilize an on-premises WildFire appliance. In addition, risk can be analyzed in the context of the destination host and user account, either during analysis or during incident response."
solution : "Navigate to Device > Setup > WildFire > Session Information Settings.
Set every option to be enabled.
Default Value:
All Session Information Settings are enabled by default. These include:
Source IP
Source port
Destination IP
Destination port
Virtual System
Application
User
URL
obÌåÓý name
Email sender
Email recipient
Email subject"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|6.2,CSCv7|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Source IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Source IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Email Subject"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Email Subject"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Email Recipient"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Email Recipient"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Email Sender"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Email Sender"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - obÌåÓý name"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - obÌåÓý name"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Application"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Application"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - User"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - User"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Virtual System"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Virtual System"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Destination Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Destination Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Destination IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Destination IP"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Source Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Source Port"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - All 'WildFire Session Information Settings' appear to be enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Wildfire enabled by default"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "5.5 Ensure alerts are enabled for malicious files detected by WildFire"
info : "Configure WildFire to send an alert when a malicious or greyware file is detected. This alert could be sent by whichever means is preferable, including email, SNMP trap, or syslog message.
Alternatively, configure the WildFire cloud to generate alerts for malicious files. The cloud can generate alerts in addition to or instead of the local WildFire implementation. Note that the destination email address of alerts configured in the WildFire cloud portal is tied to the logged in account, and cannot be modified. Also, new systems added to the WildFire cloud portal will not be automatically set to email alerts.
Rationale:
WildFire analyzes files that have already been downloaded and possibly executed. A WildFire verdict of malicious indicates that a computer could already be infected. In addition, because WildFire only analyzes files it has not already seen that were not flagged by the firewall's antivirus filter, files deemed malicious by WildFire are more likely to evade detection by desktop antivirus products."
solution : "From GUI, configure some combination of the following Server Profiles:
Configure the Email Server:
Select Device > Server Profiles > Email
Click Add
Enter a name for the Profile.
Select the virtual system from the Location drop down menu (if applicable)
Click Add
Configure the Syslog Server:
Select Device > Server Profiles > Syslog > Add
Enter Name, Display Name, Syslog Server, Transport, Port, Format, Facility
Click OK
Click Commit to save the configuration
Configure the SMTP Server:
Select Device > Server Profiles > Email
Select Add, Name, Display Name, From, To, Additional Recipients, Gateway IP or Hostname
Click OK
Click Commit to save the configuration
Navigate to Objects, Log Forwarding
Choose Add, set the log type to 'wildfire', add the filter '(verdict neq benign)', then add log destinations for SNMP, Syslog, Email or HTTP as required.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|6.2,CSCv7|6.5,CSCv7|8.3,CSCv7|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Log Forwarding Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0) or
(count(send-syslog/member) > 0) or
(count(send-email/member) > 0))\">"
xsl_stmt : " Passed - matches all criteria"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Profile Match List '' does not match all criteria"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Log Forwarding profiles found"
xsl_stmt : ""
regex : ".*"
expect : "Passed"
type : AUDIT_XML
description : "5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time"
info : "Set the WildFire update schedule to download and install updates in real-time.
Rationale:
WildFire definitions may contain signatures to block immediate, active threats to the environment. With updates in real-time, the firewall can ensure threats with new definitions are quickly mitigated."
solution : "Navigate to Device > Dynamic Updates > WildFire Update Schedule.
Set Recurrence is set to Real-time.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|3.4,CSCv7|3.5,CSCv8|10.2,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - WildFire Update Schedule is set for realtime."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - WildFire Update schedule not set appropriately."
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled"
info : "Enable 'Advanced WildFire Inline Cloud Analysis' on Wildfire profiles and forward PE files for analysis. Palo Alto Networks Advanced WildFire operates a series of cloud-based ML detection engines that provide inline analysis of PE (portable executable) files traversing your network to detect and prevent advanced malware in real-time.
Rationale:
Advanced WildFire Inline Cloud Analysis uses a lightweight forwarding mechanism on the firewall to minimize performance impact. The cloud-based ML models are updated seamlessly, to address the ever-changing threat landscape without requiring content updates or feature release support.
Advanced WildFire Inline Cloud Analysis is enabled and configured through the WildFire Analysis profile and requires PAN-OS 11.1 or later with an active Advanced WildFire license.
As of PAN-OS 11.1, only PE file type is supported."
solution : "Navigate to Objects > Security Profiles > Wildfire
On relevant Wildfire profile, checked Enable cloud inline analysis box.
On Inline cloud analysis tab, configure a rule to forward files with the following settings:
Application set to Any
obÌåÓý Type set to PE
Direction set to Both
Action set to Block
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Inline Cloud Analysis on - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Inline Cloud Analysis on - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Application - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Application - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - obÌåÓý Type - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - obÌåÓý Type - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Direction - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Direction - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Action - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Action - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Not Configured"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
type : AUDIT_XML
description : "5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled"
info : "Enable 'Advanced WildFire Inline Cloud Analysis' on Wildfire profiles and forward PE files for analysis. Palo Alto Networks Advanced WildFire operates a series of cloud-based ML detection engines that provide inline analysis of PE (portable executable) files traversing your network to detect and prevent advanced malware in real-time.
Rationale:
Advanced WildFire Inline Cloud Analysis uses a lightweight forwarding mechanism on the firewall to minimize performance impact. The cloud-based ML models are updated seamlessly, to address the ever-changing threat landscape without requiring content updates or feature release support.
Advanced WildFire Inline Cloud Analysis is enabled and configured through the WildFire Analysis profile and requires PAN-OS 11.1 or later with an active Advanced WildFire license.
As of PAN-OS 11.1, only PE file type is supported."
solution : "Navigate to Objects > Security Profiles > Wildfire
On relevant Wildfire profile, checked Enable cloud inline analysis box.
On Inline cloud analysis tab, configure a rule to forward files with the following settings:
Application set to Any
obÌåÓý Type set to PE
Direction set to Both
Action set to Block
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Inline Cloud Analysis on - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Inline Cloud Analysis on - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Application - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Application - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - obÌåÓý Type - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - obÌåÓý Type - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Direction - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Direction - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Pass - Action - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Action - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Fail - Not Configured"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Fail"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'"
info : "Configure antivirus profiles to a value of 'reset-both' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.
Rationale:
Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages."
solution : "Navigate to Objects > Security Profiles > Antivirus.
Set antivirus profiles to have all decoders set to reset-both for both Action and Wildfire Action. If imap and pop3 are required in the organization, set the imap and pop3 decoders to alert for both Action and Wildfire Action.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security Profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Security Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.2 Ensure a secure antivirus profile is applied to all relevant security policies"
info : "Create a secure antivirus profile and apply it to all security policies that could pass HTTP, SMTP, IMAP, POP3, FTP, or SMB traffic. The antivirus profile may be applied to the security policies directly or through a profile group.
Rationale:
By applying a secure antivirus profile to all applicable traffic, the threat of malware propagation through the firewall is greatly reduced. Without an antivirus profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential malware.
Impact:
Not having an AV Profile on a Security Policy allows signature-based malware to transit the security boundary without blocks or alerts. In most cases this leaves only the Endpoint Security application to block or alert malware."
solution : "Navigate to Policies > Security .
For each policy, navigate to [Policy Name] > Actions
Set an Antivirus profile or a Profile Group containing an AV profile for each security policy passing traffic - regardless of protocol.
Default Value:
No Antivirus Profiles are enabled on any default or new Security Policy"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: Shared"
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a virus profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/virus/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a virus profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using antivirus profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/virus/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a virus profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/virus/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a virus profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using antivirus profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/virus/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats"
info : "If a single rule exists within the anti-spyware profile, configure it to block on any spyware severity level, any category, and any threat. If multiple rules exist within the anti-spyware profile, ensure all spyware categories, threats, and severity levels are set to be blocked. Additional rules may exist for packet capture or exclusion purposes.
Rationale:
Requiring a blocking policy for all spyware threats, categories, and severities reduces the risk of spyware traffic from successfully exiting the organization. Without an anti-spyware profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential spyware."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Set a rule within the anti-spyware profile that is configured to perform the reset-both on any Severity level, any Category, and any Threat Name.
Default Value:
Two Anti-Spyware Security Profiles are configured by default 'strict' and 'default'."
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Anti-Spyware Profile '', using rule '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Anti-Spyware Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Signature Source Sinkhole"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Anti-Spyware Profile '', using DNS Signature Source Sinkhole for 'default-paloalto-dns'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Anti-Spyware Profile '' does not have DNS Signature Source Sinkhole set for 'default-paloalto-dns'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Policies"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Sinkhole"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Anti-Spyware Profile '', using DNS Sinkhole 'IPv4 - ', 'IPv6 - '."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Anti-Spyware Profile '' does not have DNS Sinkholing set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use"
info : "Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.
Rationale:
DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the 'ip reputation' of the organization's internet network subnets."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Within the each anti-spyware profile, under its DNS Policies tab, set the Signature Source List:
default-paloalto-dns should have as its Policy Action set to sinkhole
If licensed, the DNS Security should have as its Policy Action set to sinkhole
Verify the 'Sinkhole IPv4' IP address is correct. This should be set to sinkhole.paloaltnetworks.com, or if an internal host is set then that host IP or FQDN should be in that field
Verify the 'Sinkhole IPv6' IP address is correct. This should be set to IPv6 Loopback IP (::1), or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field
Navigate to Policies > Security Policies
For each outbound security Policy, in the Actions tab, set the Anti-Spyware setting to include the Spyware Profile created, either explicitly or as a Group Profile
Default Value:
Not Configured"
reference : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|8.3,CSCv7|8.7,CSCv8|10.7,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,CSF2.0|DE.AE-02,CSF2.0|DE.AE-03,CSF2.0|DE.CM-01,CSF2.0|DE.CM-06,CSF2.0|DE.CM-09,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'"
info : "Configure antivirus profiles to a value of 'reset-both' for all decoders except imap and pop3 under both Action and WildFire Action. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.
Rationale:
Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages."
solution : "Navigate to Objects > Security Profiles > Antivirus.
Set antivirus profiles to have all decoders set to reset-both for both Action and Wildfire Action. If imap and pop3 are required in the organization, set the imap and pop3 decoders to alert for both Action and Wildfire Action.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.2 Ensure a secure antivirus profile is applied to all relevant security policies"
info : "Create a secure antivirus profile and apply it to all security policies that could pass HTTP, SMTP, IMAP, POP3, FTP, or SMB traffic. The antivirus profile may be applied to the security policies directly or through a profile group.
Rationale:
By applying a secure antivirus profile to all applicable traffic, the threat of malware propagation through the firewall is greatly reduced. Without an antivirus profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential malware.
Impact:
Not having an AV Profile on a Security Policy allows signature-based malware to transit the security boundary without blocks or alerts. In most cases this leaves only the Endpoint Security application to block or alert malware."
solution : "Navigate to Policies > Security .
For each policy, navigate to [Policy Name] > Actions
Set an Antivirus profile or a Profile Group containing an AV profile for each security policy passing traffic - regardless of protocol.
Default Value:
No Antivirus Profiles are enabled on any default or new Security Policy"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a virus profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using group '' does not have an antivirus profile."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using antivirus profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using antivirus profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats"
info : "If a single rule exists within the anti-spyware profile, configure it to block on any spyware severity level, any category, and any threat. If multiple rules exist within the anti-spyware profile, ensure all spyware categories, threats, and severity levels are set to be blocked. Additional rules may exist for packet capture or exclusion purposes.
Rationale:
Requiring a blocking policy for all spyware threats, categories, and severities reduces the risk of spyware traffic from successfully exiting the organization. Without an anti-spyware profile assigned to any potential hostile zone, the first protection in the path against malware is removed, leaving in most cases only the desktop endpoint protection application to detect and remediate any potential spyware."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Set a rule within the anti-spyware profile that is configured to perform the reset-both on any Severity level, any Category, and any Threat Name.
Default Value:
Two Anti-Spyware Security Profiles are configured by default 'strict' and 'default'."
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Anti-Spyware Profile '', using rule '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Anti-Spyware Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Signature Source Sinkhole"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Anti-Spyware Profile '', using DNS Signature Source Sinkhole for 'default-paloalto-dns'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Anti-Spyware Profile '' does not have DNS Signature Source Sinkhole set for 'default-paloalto-dns'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Policies"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Sinkhole"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Anti-Spyware Profile '', using DNS Sinkhole 'IPv4 - ', 'IPv6 - '."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Anti-Spyware Profile '' does not have DNS Sinkholing set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
description : "6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use"
info : "Configure DNS sinkholing for all anti-spyware profiles in use. All internal requests to the selected sinkhole IP address must traverse the firewall. Any device attempting to communicate with the DNS sinkhole IP address should be considered infected.
Rationale:
DNS sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries. Without sinkholing, the DNS server itself may be seen as infected, while the truly infected device remains unidentified. In addition, sinkholing also ensures that DNS queries that might be indicators of compromise do not transit the internet, where they could be potentially used to negatively impact the 'ip reputation' of the organization's internet network subnets."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Within the each anti-spyware profile, under its DNS Policies tab, set the Signature Source List:
default-paloalto-dns should have as its Policy Action set to sinkhole
If licensed, the DNS Security should have as its Policy Action set to sinkhole
Verify the 'Sinkhole IPv4' IP address is correct. This should be set to sinkhole.paloaltnetworks.com, or if an internal host is set then that host IP or FQDN should be in that field
Verify the 'Sinkhole IPv6' IP address is correct. This should be set to IPv6 Loopback IP (::1), or if an internal DNS Sinkhole host is set then that host IP or FQDN should be in that field
Navigate to Policies > Security Policies
For each outbound security Policy, in the Actions tab, set the Anti-Spyware setting to include the Spyware Profile created, either explicitly or as a Group Profile
Default Value:
Not Configured"
reference : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53r5|SI-4,CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|8.3,CSCv7|8.7,CSCv8|10.7,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,CSF2.0|DE.AE-02,CSF2.0|DE.AE-03,CSF2.0|DE.CM-01,CSF2.0|DE.CM-06,CSF2.0|DE.CM-09,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,LEVEL|1A,NESA|M1.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet"
info : "Create one or more anti-spyware profiles and collectively apply them to all security policies permitting traffic to the Internet. The anti-spyware profiles may be applied to the security policies directly or through a profile group.
Rationale:
By applying secure anti-spyware profiles to all applicable traffic, the threat of sensitive data exfiltration or command-and-control traffic successfully passing through the firewall is greatly reduced. Anti-spyware profiles are not restricted to particular protocols like antivirus profiles, so anti-spyware profiles should be applied to all security policies permitting traffic to the Internet. Assigning an anti-spyware profile to each trusted zone will quickly and easily identify trusted hosts that have been infected with spyware, by identifying the infection from their outbound network traffic. In addition, that outbound network traffic will be blocked by the profile."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Also navigate to Policies > Security.
Set one or more anti-spyware profiles to collectively apply to all inside to outside traffic from any address to any address and any application and service.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: Shared"
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a spyware profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/spyware/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a spyware profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using spyware profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/spyware/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a spyware profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/spyware/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a spyware profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using spyware profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/spyware/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities"
info : "Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking, network attacks. The default action for attacks against many critical and high vulnerabilities is to only alert on the attack - not to block.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked."
solution : "Navigate to Objects > Security Profiles > Vulnerability Protection.
Set a Vulnerability Protection Profile to block attacks against any critical or high vulnerabilities (minimum), and to default on attacks against any medium, low, or informational vulnerabilities.
Default Value:
Two Vulnerability Protection Profiles are configured by default - 'strict' and 'default'."
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|12.7,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Vulnerability Profile '' is set to block/reset-both both critical and high severity levels."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Vulnerability Profile '' does not meet the critical and high severity criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Vulnerability Profile '' is set to default on medium, low, and informational severity levels."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Vulnerability Profile '' does not meet the medium, low, and informational severity criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Vulnerability Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic"
info : "For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN's 'Threat Prevention Deployment Tech Note' in the references section.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.
Note that encrypted sessions do not allow for complete inspection.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked."
solution : "Navigate to Policies > Security.
For each Policy, under the Actions tab, select Vulnerability Protection.
Set it to use either the 'Strict' or the 'Default' profile, or a custom profile that complies with the organization's policies, legal and regulatory requirements.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|3.1,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: Shared"
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a vulnerability profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/vulnerability/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a vulnerability profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using vulnerability profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/vulnerability/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a vulnerability profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/vulnerability/member) = 0))\">"
xsl_stmt : "Failed - Security Policy '' does not have a vulnerability profile assigned to the group."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " 0)\">"
xsl_stmt : "Passed - Security Policy '' using vulnerability profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : " 0)
and
(count(/response/result/config/shared/profile-group/entry[@name=$policy]/vulnerability/member) > 0))\">"
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.8 Ensure that PAN-DB URL Filtering is used"
info : "Configure the device to use PAN-DB URL Filtering instead of BrightCloud.
Rationale:
Standard URL filtering provides protection against inappropriate and malicious URLs and IP addresses. PAN-DB URL Filtering is slightly less granular than the BrightCloud URL filtering. However the PAN-DB Filter offers additional malware protection and PAN threat intelligence by using the Wildfire service as an additional input, which is currently not available in the BrightCloud URL Filtering license. This makes the PAN-DB filter more responsive to specific malware 'campaigns'.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Device > Licenses.
Click on PAN-DB URL Filtering.
Set Active to Yes.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering is PAN-DB"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories"
info : "Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organization-such as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add 'unknown' and 'dynamic-dns' to this list, at the expense of some support calls on those topics.
Rationale:
Certain URL categories pose a technology-centric threat, such as command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Users visiting websites in these categories, many times unintentionally, are at greater risk of compromising the security of their system. Other categories, such as adult, may pose a legal liability and will be blocked for those reasons.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
Set a URL filter so that all URL categories designated by the organization are listed.
Navigate to the Actions tab.
Set the action to Block.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Blocked item: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No items set to block"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet"
info : "Create one or more anti-spyware profiles and collectively apply them to all security policies permitting traffic to the Internet. The anti-spyware profiles may be applied to the security policies directly or through a profile group.
Rationale:
By applying secure anti-spyware profiles to all applicable traffic, the threat of sensitive data exfiltration or command-and-control traffic successfully passing through the firewall is greatly reduced. Anti-spyware profiles are not restricted to particular protocols like antivirus profiles, so anti-spyware profiles should be applied to all security policies permitting traffic to the Internet. Assigning an anti-spyware profile to each trusted zone will quickly and easily identify trusted hosts that have been infected with spyware, by identifying the infection from their outbound network traffic. In addition, that outbound network traffic will be blocked by the profile."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware.
Also navigate to Policies > Security.
Set one or more anti-spyware profiles to collectively apply to all inside to outside traffic from any address to any address and any application and service.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a spyware profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using group '' does not have a spyware profile."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using spyware profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using spyware profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities"
info : "Configure a Vulnerability Protection Profile set to block attacks against any critical or high vulnerabilities, at minimum, and set to default on any medium, low, or informational vulnerabilities. Configuring an alert action for low and informational, instead of default, will produce additional information at the expense of greater log utilization.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking, network attacks. The default action for attacks against many critical and high vulnerabilities is to only alert on the attack - not to block.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked."
solution : "Navigate to Objects > Security Profiles > Vulnerability Protection.
Set a Vulnerability Protection Profile to block attacks against any critical or high vulnerabilities (minimum), and to default on attacks against any medium, low, or informational vulnerabilities.
Default Value:
Two Vulnerability Protection Profiles are configured by default - 'strict' and 'default'."
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|12.7,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Vulnerability Profile '' is set to block/reset-both both critical and high severity levels."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Vulnerability Profile '' does not meet the critical and high severity criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Vulnerability Profile '' is set to default on medium, low, and informational severity levels."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Vulnerability Profile '' does not meet the medium, low, and informational severity criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Vulnerability Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic"
info : "For any security rule allowing traffic, apply a securely configured Vulnerability Protection Profile. Careful analysis of the target environment should be performed before implementing this configuration, as outlined by PAN's 'Threat Prevention Deployment Tech Note' in the references section.
Rationale:
A Vulnerability Protection Profile helps to protect assets by alerting on, or blocking network attacks. By applying a secure Vulnerability Protection Profile to all security rules permitting traffic, all network traffic traversing the firewall will be inspected for attacks. This protects both organizational assets from attack and organizational reputation from damage.
Note that encrypted sessions do not allow for complete inspection.
Impact:
Not configuring a Vulnerability Protection Profile means that network attacks will not be logged, alerted on or blocked."
solution : "Navigate to Policies > Security.
For each Policy, under the Actions tab, select Vulnerability Protection.
Set it to use either the 'Strict' or the 'Default' profile, or a custom profile that complies with the organization's policies, legal and regulatory requirements.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|3.1,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' does not have a vulnerability profile or group assigned."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using group '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using group '' does not have a vulnerability profile."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Policy '' using vulnerability profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Policy '' using vulnerability profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.8 Ensure that PAN-DB URL Filtering is used"
info : "Configure the device to use PAN-DB URL Filtering instead of BrightCloud.
Rationale:
Standard URL filtering provides protection against inappropriate and malicious URLs and IP addresses. PAN-DB URL Filtering is slightly less granular than the BrightCloud URL filtering. However the PAN-DB Filter offers additional malware protection and PAN threat intelligence by using the Wildfire service as an additional input, which is currently not available in the BrightCloud URL Filtering license. This makes the PAN-DB filter more responsive to specific malware 'campaigns'.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Device > Licenses.
Click on PAN-DB URL Filtering.
Set Active to Yes.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering is PAN-DB"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering is ''"
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
expect : "Passed"
type : AUDIT_XML
description : "6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories"
info : "Ideally, deciding which URL categories to block, and which to allow, is a joint effort between IT and another entity of authority within an organization-such as the legal department or administration. For most organizations, blocking or requiring an override on the following categories represents a minimum baseline: adult, hacking, command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Some organizations may add 'unknown' and 'dynamic-dns' to this list, at the expense of some support calls on those topics.
Rationale:
Certain URL categories pose a technology-centric threat, such as command-and-control, copyright-infringement, extremism, malware, phishing, proxy-avoidance-and-anonymizers, and parked. Users visiting websites in these categories, many times unintentionally, are at greater risk of compromising the security of their system. Other categories, such as adult, may pose a legal liability and will be blocked for those reasons.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
Set a URL filter so that all URL categories designated by the organization are listed.
Navigate to the Actions tab.
Set the action to Block.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Blocked item: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No items set to block"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.10 Ensure that access to every URL is logged"
info : "URL filters should not specify any categories as Allow Categories.
Rationale:
Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
For each permitted category, set the Site Access actioun to alert
Default Value:
A default URL Filtering Security Profile is configured, with the following categories set to 'block': abused-drugs adult gambling hacking malware phishing questionable weapons 3 Categories are set to alert in the default policy, and 58 Categories are set to allow (which means they are not logged)"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7(3),800-53|SC-7(4),800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|7.6,CSCv8|8.5,CSCv8|9.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|1.1,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Alerted item: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No items set to alert"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Log Container Page"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - URL Filtering Policy '', Log Container Page is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - URL Filtering Policy '', Log Container Page is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "User-Agent"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - URL Filtering Policy '', HTTP Header Logging User-Agent is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - URL Filtering Policy '', HTTP Header Logging User-Agent is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Referer"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - URL Filtering Policy '', HTTP Header Logging Referer is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - URL Filtering Policy '', HTTP Header Logging Referer is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "X-Forwarded-For"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - URL Filtering Policy '', HTTP Header Logging X-Forwarded-For is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - URL Filtering Policy '', HTTP Header Logging X-Forwarded-For is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "6.11 Ensure all HTTP Header Logging options are enabled"
info : "Enable all options (User-Agent, Referer, and X-Forwarded-For) for HTTP header logging.
Rationale:
Logging HTTP header information provides additional information in the URL logs, which may be useful during forensic investigations. The User-Agent option logs which browser was used during the web session, which could provide insight to the vector used for malware retrieval. The Referer option logs the source webpage responsible for referring the user to the logged webpage. The X-Forwarded-For option is useful for preserving the user's source IP address, such as if a user traverses a proxy server prior to the firewall. Un-checking the Log container page only box produces substantially more information about web activity, with the expense of producing far more entries in the URL logs. If this option remains checked, a URL filter log entry showing details of a malicious file download may not exist.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering > URL Filtering Profile > URL Filtering Settings.
Set the following four settings:
a. Log container page only box is un-checked
b. Check the User-Agent box
c. Check the Referer box
d. Check the X-Forwarded-For box
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7(3),800-53|SC-7(4),800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|7.6,CSCv8|8.5,CSCv8|9.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|1.1,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "6.10 Ensure that access to every URL is logged"
info : "URL filters should not specify any categories as Allow Categories.
Rationale:
Setting a URL filter to have one or more entries under Allow Categories will cause no log entries to be produced in the URL Filtering logs for access to URLs in those categories. For forensic, legal, and HR purposes, it is advisable to log access to every URL. In many cases failure to log all URL access is a violation of corporate policy, legal requirements or regulatory requirements.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
For each permitted category, set the Site Access actioun to alert
Default Value:
A default URL Filtering Security Profile is configured, with the following categories set to 'block': abused-drugs adult gambling hacking malware phishing questionable weapons 3 Categories are set to alert in the default policy, and 58 Categories are set to allow (which means they are not logged)"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7(3),800-53|SC-7(4),800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|7.6,CSCv8|8.5,CSCv8|9.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|1.1,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Alerted item: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No items set to alert"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Log Container Page"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering Policy '', Log Container Page is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering Policy '', Log Container Page is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "User-Agent"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering Policy '', HTTP Header Logging User-Agent is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering Policy '', HTTP Header Logging User-Agent is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Referer"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering Policy '', HTTP Header Logging Referer is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering Policy '', HTTP Header Logging Referer is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "X-Forwarded-For"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - URL Filtering Policy '', HTTP Header Logging X-Forwarded-For is enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - URL Filtering Policy '', HTTP Header Logging X-Forwarded-For is not enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
description : "6.11 Ensure all HTTP Header Logging options are enabled"
info : "Enable all options (User-Agent, Referer, and X-Forwarded-For) for HTTP header logging.
Rationale:
Logging HTTP header information provides additional information in the URL logs, which may be useful during forensic investigations. The User-Agent option logs which browser was used during the web session, which could provide insight to the vector used for malware retrieval. The Referer option logs the source webpage responsible for referring the user to the logged webpage. The X-Forwarded-For option is useful for preserving the user's source IP address, such as if a user traverses a proxy server prior to the firewall. Un-checking the Log container page only box produces substantially more information about web activity, with the expense of producing far more entries in the URL logs. If this option remains checked, a URL filter log entry showing details of a malicious file download may not exist.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "Navigate to Objects > Security Profiles > URL Filtering > URL Filtering Profile > URL Filtering Settings.
Set the following four settings:
a. Log container page only box is un-checked
b. Check the User-Agent box
c. Check the Referer box
d. Check the X-Forwarded-For box
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-171|3.13.1,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53|SC-7(3),800-53|SC-7(4),800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CN-L3|8.1.10.6(j),CSCv7|6.2,CSCv7|6.3,CSCv7|7.6,CSCv8|8.5,CSCv8|9.3,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.AC-5,CSF|PR.PT-1,CSF|PR.PT-4,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.13.1.3,ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T3.6.2,NESA|T4.5.4,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|1.1,SWIFT-CSCv1|6.4,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.12 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet"
info : "Apply a secure URL filtering profile to all security policies permitting traffic to the Internet. The URL Filtering profile may be applied to the security policies directly or through a profile group.
Rationale:
URL Filtering policies dramatically reduce the risk of users visiting malicious or inappropriate websites. In addition, a complete URL history log for all devices is invaluable when performing forensic analysis in the event of a security incident. Applying complete and approved URL filtering to outbound traffic is a frequent requirement in corporate policies, legal requirements or regulatory requirements.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "To Set URL Filtering:
For each Security Profile that transits traffic to the internet, navigate to Policies > Security > Security Profiles > [Policy Name] > Actions.
Set a URL Filtering profile that complies with the policies of the organization is applied to all Security Policies that transit traffic to the public internet.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security policy '' is using URL Filtering profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering profile set on security policy ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Data Object"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - '' meets all criteria: Credit card, Social Security number, Social Security Numbers without dash"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Data Pattern Profile '' does not meet all criteria: Credit card, Social Security number, Social Security Numbers without dash"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Data Pattern Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Data Filtering Profile"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Data Filtering Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Data Filtering Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled"
info : "This guideline is highly specific to an organization. While blocking of credit card or Social Security numbers will not occur with the recommended settings below, careful tuning is also recommended.
Rationale:
Credit card and Social Security numbers are sensitive, and should never traverse an organization's Internet connection in clear text. Passing sensitive data within an organization should also be avoided whenever possible. Detecting and blocking known sensitive information is a basic protection against a data breach or data loss. Not implementing these defenses can lead to loss of regulatory accreditation (such as PCI, HIPAA etc), or can lead to legal action from injured parties or regulatory bodies."
solution : "Navigate to Objects > Custom Objects > Data Patterns.
Create an appropriate Data Pattern that accounts for sensitive information within your organization. In most cases this will include Credit Card Numbers, and your jurisdiction's equivalent of Social Insurance Numbers. In many cases these can simply be picked from the list of Predefined Patterns.
Navigate to Objects > Security Profiles > Data Filtering.
Create appropriate Data Filtering Profile, using the created Data Patterns. Ensure that an Alert Threshold is set that generates alerts appropriately. A typical starting value for Alert Threshold is 20, but this should be adjusted after appropriate testing.
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.2,CSCv7|6.3,CSCv7|13.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet"
info : "Create a secure Data Filtering profile and apply it to all security policies permitting traffic to or from the Internet. The Data Filtering profile may be applied to security policies directly or through a profile group.
Rationale:
A Data Filtering profile helps prevent certain types of sensitive information from traversing an organization's Internet connection, especially in clear text. Detecting and blocking known sensitive information is a basic protection against a data breach or data loss. Not implementing these defenses can lead to loss of regulatory accreditation (such as PCI, HIPAA etc), or can lead to legal action from injured parties or regulatory bodies.
Before starting, be very aware that Data Filtering will often block data that you didn't anticipate, false positives will definitely occur. Even the prebuilt filters will frequently match on unintended data in files or websites. Work very closely with your user community to ensure that required data is blocked or alerted on, but a minimum of false positive blocks occur. As false positives occur, ensure that your user community has a clear and timely procedure to get the configuration updated."
solution : "Navigate to Objects > Custom Objects > Data Patterns. Add patterns to match the various data that you wish to monitor or make blocking decisions on.
Navigate to Objects > Security Profiles > Data Filtering
Add a Filtering Profile that matches the data you wish to monitor, with appropriate values for Alert Threshold (typically 20), Block Threshold (typically 0) and Log Serverity
Finally, apply the Filtering Profile to a Security Profile.
Navigate to Policies > Security. Edit all appropriate policies, and for each Policy choose the Actions tab, and add the appropriate Data Filtering Policy (either as an individual Profile or as part of a Group Profile)
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security policy '' is using Data Filtering profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Vulnerability profile set on security policy ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Vulnerability Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones"
info : "Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.
As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of maximum new sessions per second for each platform:
PA-4xx series = 73,000 CPS
PA-8xx series = 13,100 CPS
PA-14xx series = 140,000 CPS
PA-32xx series = 84,000 CPS
PA-34xx series = 268,000 CPS
PA-52xx series = 500,000 CPS
PA-54xx series = 3,600,000 CPS
PA-70xx series = 6,000,000 CPS
Rationale:
Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.
Impact:
Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources."
solution : "From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box. Set the Action dropdown to SYN Cookies Set Alert to 20000 (or appropriate for org). Set Activate to 25000 (50% of maximum for firewall model). Set Maximum to 1000000 (or appropriate for org)
Navigate to Network > Zones. Open the zone facing any untrusted network, if one does not exist create it. Set Zone Protection to the Zone Protection Profile created.
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.5,800-171|3.3.8,800-171|3.3.9,800-53|AC-2,800-53|AC-3,800-53|AC-6,800-53|AC-6(1),800-53|AC-6(7),800-53|AU-9(4),800-53r5|AC-2,800-53r5|AC-5,800-53r5|AC-6,800-53r5|AC-6(1),800-53r5|AC-6(7),800-53r5|AU-9(4),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(d),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|13.3,CSCv8|6.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.5,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.4,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.12.4.2,ITSG-33|AC-2,ITSG-33|AC-3,ITSG-33|AC-6,ITSG-33|AC-6(1),ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1A,NESA|M1.1.3,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|AM31,NIAv2|GS3,NIAv2|GS4,NIAv2|GS8c,NIAv2|NS5j,NIAv2|SM5,NIAv2|SM6,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,NIAv2|VL3b,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5,PCI-DSSv3.2.1|10.5.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,PCI-DSSv4.0|10.3.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has TCP SYN Cookies enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' SYN cookies Alert rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' SYN cookies Alert rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' SYN cookies Activate rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' SYN cookies Activate rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' SYN cookies Maximal rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' SYN cookies Maximal rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' Flood Protection/SYN is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.12 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet"
info : "Apply a secure URL filtering profile to all security policies permitting traffic to the Internet. The URL Filtering profile may be applied to the security policies directly or through a profile group.
Rationale:
URL Filtering policies dramatically reduce the risk of users visiting malicious or inappropriate websites. In addition, a complete URL history log for all devices is invaluable when performing forensic analysis in the event of a security incident. Applying complete and approved URL filtering to outbound traffic is a frequent requirement in corporate policies, legal requirements or regulatory requirements.
Impact:
Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss."
solution : "To Set URL Filtering:
For each Security Profile that transits traffic to the internet, navigate to Policies > Security > Security Profiles > [Policy Name] > Actions.
Set a URL Filtering profile that complies with the policies of the organization is applied to all Security Policies that transit traffic to the public internet.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv7|7.5,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security policy '' is using URL Filtering profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering profile set on security policy ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No URL Filtering Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Data Object"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - '' meets all criteria: Credit card, Social Security number, Social Security Numbers without dash"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Data Pattern Profile '' does not meet all criteria: Credit card, Social Security number, Social Security Numbers without dash"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Data Pattern Profiles found"
xsl_stmt : ""
regex : ".*"
expect : "Passed"
type : AUDIT_XML
description : "Data Filtering Profile"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Data Filtering Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Data Filtering Profiles found"
xsl_stmt : ""
regex : ".*"
expect : "Passed"
description : "6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled"
info : "This guideline is highly specific to an organization. While blocking of credit card or Social Security numbers will not occur with the recommended settings below, careful tuning is also recommended.
Rationale:
Credit card and Social Security numbers are sensitive, and should never traverse an organization's Internet connection in clear text. Passing sensitive data within an organization should also be avoided whenever possible. Detecting and blocking known sensitive information is a basic protection against a data breach or data loss. Not implementing these defenses can lead to loss of regulatory accreditation (such as PCI, HIPAA etc), or can lead to legal action from injured parties or regulatory bodies."
solution : "Navigate to Objects > Custom Objects > Data Patterns.
Create an appropriate Data Pattern that accounts for sensitive information within your organization. In most cases this will include Credit Card Numbers, and your jurisdiction's equivalent of Social Insurance Numbers. In many cases these can simply be picked from the list of Predefined Patterns.
Navigate to Objects > Security Profiles > Data Filtering.
Create appropriate Data Filtering Profile, using the created Data Patterns. Ensure that an Alert Threshold is set that generates alerts appropriately. A typical starting value for Alert Threshold is 20, but this should be adjusted after appropriate testing.
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.3.6,800-53|AU-3,800-53|AU-3(1),800-53|AU-7,800-53|AU-12,800-53r5|AU-3,800-53r5|AU-3(1),800-53r5|AU-7,800-53r5|AU-12,CN-L3|7.1.2.3(a),CN-L3|7.1.2.3(b),CN-L3|7.1.2.3(c),CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|8.1.4.3(b),CSCv7|6.2,CSCv7|6.3,CSCv7|13.3,CSCv8|8.5,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,CSF|RS.AN-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|DE.CM-09,CSF2.0|PR.PS-04,CSF2.0|RS.AN-03,CSF2.0|RS.AN-06,CSF2.0|RS.AN-07,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|AU-3,ITSG-33|AU-3(1),ITSG-33|AU-7,ITSG-33|AU-12,LEVEL|1A,NESA|T3.6.2,NIAv2|AM34a,NIAv2|AM34b,NIAv2|AM34c,NIAv2|AM34d,NIAv2|AM34e,NIAv2|AM34f,NIAv2|AM34g,PCI-DSSv3.2.1|10.1,PCI-DSSv3.2.1|10.3,PCI-DSSv3.2.1|10.3.1,PCI-DSSv3.2.1|10.3.2,PCI-DSSv3.2.1|10.3.3,PCI-DSSv3.2.1|10.3.4,PCI-DSSv3.2.1|10.3.5,PCI-DSSv3.2.1|10.3.6,PCI-DSSv4.0|10.2.2,QCSC-v1|3.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,QCSC-v1|13.2,SWIFT-CSCv1|6.4"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet"
info : "Create a secure Data Filtering profile and apply it to all security policies permitting traffic to or from the Internet. The Data Filtering profile may be applied to security policies directly or through a profile group.
Rationale:
A Data Filtering profile helps prevent certain types of sensitive information from traversing an organization's Internet connection, especially in clear text. Detecting and blocking known sensitive information is a basic protection against a data breach or data loss. Not implementing these defenses can lead to loss of regulatory accreditation (such as PCI, HIPAA etc), or can lead to legal action from injured parties or regulatory bodies.
Before starting, be very aware that Data Filtering will often block data that you didn't anticipate, false positives will definitely occur. Even the prebuilt filters will frequently match on unintended data in files or websites. Work very closely with your user community to ensure that required data is blocked or alerted on, but a minimum of false positive blocks occur. As false positives occur, ensure that your user community has a clear and timely procedure to get the configuration updated."
solution : "Navigate to Objects > Custom Objects > Data Patterns. Add patterns to match the various data that you wish to monitor or make blocking decisions on.
Navigate to Objects > Security Profiles > Data Filtering
Add a Filtering Profile that matches the data you wish to monitor, with appropriate values for Alert Threshold (typically 20), Block Threshold (typically 0) and Log Serverity
Finally, apply the Filtering Profile to a Security Profile.
Navigate to Policies > Security. Edit all appropriate policies, and for each Policy choose the Actions tab, and add the appropriate Data Filtering Policy (either as an individual Profile or as part of a Group Profile)
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security policy '' is using Data Filtering profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No Vulnerability profile set on security policy ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Vulnerability Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones"
info : "Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.
As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of maximum new sessions per second for each platform:
PA-4xx series = 73,000 CPS
PA-8xx series = 13,100 CPS
PA-14xx series = 140,000 CPS
PA-32xx series = 84,000 CPS
PA-34xx series = 268,000 CPS
PA-52xx series = 500,000 CPS
PA-54xx series = 3,600,000 CPS
PA-70xx series = 6,000,000 CPS
Rationale:
Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.
Impact:
Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources."
solution : "From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box. Set the Action dropdown to SYN Cookies Set Alert to 20000 (or appropriate for org). Set Activate to 25000 (50% of maximum for firewall model). Set Maximum to 1000000 (or appropriate for org)
Navigate to Network > Zones. Open the zone facing any untrusted network, if one does not exist create it. Set Zone Protection to the Zone Protection Profile created.
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.5,800-171|3.3.8,800-171|3.3.9,800-53|AC-2,800-53|AC-3,800-53|AC-6,800-53|AC-6(1),800-53|AC-6(7),800-53|AU-9(4),800-53r5|AC-2,800-53r5|AC-5,800-53r5|AC-6,800-53r5|AC-6(1),800-53r5|AC-6(7),800-53r5|AU-9(4),CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(d),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.3(d),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|13.3,CSCv8|6.8,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-1,CSF|PR.PT-3,CSF2.0|DE.CM-01,CSF2.0|DE.CM-03,CSF2.0|PR.AA-01,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.9.2.1,ISO/IEC-27001|A.9.2.5,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.4,ISO/IEC-27001|A.9.4.5,ISO/IEC-27001|A.12.4.2,ITSG-33|AC-2,ITSG-33|AC-3,ITSG-33|AC-6,ITSG-33|AC-6(1),ITSG-33|AU-9(4),ITSG-33|AU-9(4)(a),ITSG-33|AU-9(4)(b),LEVEL|1A,NESA|M1.1.3,NESA|M1.2.2,NESA|M5.2.3,NESA|M5.5.2,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|AM28,NIAv2|AM31,NIAv2|GS3,NIAv2|GS4,NIAv2|GS8c,NIAv2|NS5j,NIAv2|SM5,NIAv2|SM6,NIAv2|SS13c,NIAv2|SS14e,NIAv2|SS15c,NIAv2|SS29,NIAv2|VL3b,PCI-DSSv3.2.1|7.1.2,PCI-DSSv3.2.1|10.5,PCI-DSSv3.2.1|10.5.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,PCI-DSSv4.0|10.3.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|13.2,QCSC-v1|15.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has TCP SYN Cookies enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' SYN cookies Alert rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' SYN cookies Alert rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' SYN cookies Activate rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' SYN cookies Activate rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' SYN cookies Maximal rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' SYN cookies Maximal rate is ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' Flood Protection/SYN is not enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions"
info : "Enable all three scan options in a Zone Protection profile. Do not configure an action of Allow for any scan type. The exact interval and threshold values must be tuned to the specific environment. Less aggressive settings are typically appropriate for trusted zones, such as setting an action of alert for all scan types.
Attach appropriate Zone Protection profiles meeting these criteria to all zones. Separate Zone Protection profiles for trusted and untrusted zones is a best practice.
Rationale:
Port scans and host sweeps are common in the reconnaissance phase of an attack. Bots scouring the Internet in search of a vulnerable target may also scan for open ports and available hosts. Reconnaissance Protection will allow for these attacks to be either alerted on or blocked altogether.
Impact:
Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks."
solution : "Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
Set TCP Port Scan to enabled, its Action to block-ip, its Interval to 5, and its Threshold to 20. For block-ip, set the 'Track By' is set to source and 'Duration' is set to 600 seconds.
Set Host Sweep to enabled, its Action to block, its Interval to 10, and its Threshold to 30.
Set UDP Port Scan to enabled, its Action to alert, its Interval to 10, and its Threshold to 20.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|12.4,CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Action set to Block-IP."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance TCP Track By set to Source."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance TCP Track By set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance TCP Duration set to 600."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance TCP Duration set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Action set to Alert."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Action set to Block."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Reconnaissance TCP Port Scan found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Reconnaissance Host Sweep found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Reconnaissance UDP Port Scan found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets"
info : "For all zones, attach a Zone Protection Profile that is configured to drop packets with a spoofed IP address or a mismatched overlapping TCP segment, and packets with malformed, strict source routing, or loose source routing IP options set.
Rationale:
Using specially crafted packets, an attacker may attempt to evade or diminish the effectiveness of network security devices. Enabling the options in this recommendation lowers the risk of these attacks.
Impact:
Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks."
solution : "Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Packet Based Attack Protection > TCP/IP Drop.
Set Spoofed IP address to be checked.
Set Mismatched overlapping TCP segment to be checked.
Under IP Option Drop, set Strict Source Routing, Loose Source Routing, and Malformed to all be checked. Additional options may also be set if desired.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Packet Based Attack Protection / Spoofed IP address enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Packet Based Attack Protection / Spoofed IP address disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Packet Based Attack Protection / Strict Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Packet Based Attack Protection / Strict Source Routing disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Packet Based Attack Protection / Loose Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Packet Based Attack Protection / Loose Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Packet Based Attack Protection / Malformed enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Packet Based Attack Protection / Malformed disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Zone Protection Profile '' has Packet Based Attack Protection / Mismatched Overlapping TCP Segment enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Zone Protection Profile '' has Packet Based Attack Protection / Mismatched Overlapping TCP Segment disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Spoofed IP address"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Strict Source Routing"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Loose Source Routing"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Malformed"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Mismatched Overlapping TCP Segment"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.19 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories"
info : "Ideally user names and passwords user within an organization are not used with third party sites. Some sanctioned SAS applications may have connections to the corporate domain, in which case they will need to be exempt from the user credential submission policy through a custom URL category.
Rationale:
Preventing users from having the ability to submit their corporate credentials to the Internet could stop credential phishing attacks and the potential that a breach at a site where a user reused credentials could lead to a credential stuffing attack.
Impact:
Not preventing users from submitting their corporate credentials to the Internet can leave them open to phishing attacks or allow for credential reuse on unauthorized sites. Using internal email accounts provides malicious actors with intelligence information, which can be used for phishing, credential stuffing and other attacks. Using internal passwords will often provide authenticated access directly to sensitive information. Not only that, but a pattern of credential re-use can expose personal information from multiple online sources."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
Choose the Categories tab. Set the User Credential Submitting action on all enabled URL categories is either block or continue, as appropriate to your organization and the category.
Under the User Credential Detection tab set the User Credential Detection value to a setting appropriate to your organization, any value except Disabled. Set the Log Severity to a value appropriate to your organization and your logging or SIEM solution.
Default Value:
Not Configured"
reference : "800-53|SI-8,800-53r5|SI-8,CSCv7|7.4,CSCv8|9.2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-8,LEVEL|1A,QCSC-v1|3.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - IP User Mapping not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - IP User Mapping set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Zone Protection Profiles using Packet Based Attack Protection / Mismatched Overlapping TCP Segment"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions"
info : "Enable all three scan options in a Zone Protection profile. Do not configure an action of Allow for any scan type. The exact interval and threshold values must be tuned to the specific environment. Less aggressive settings are typically appropriate for trusted zones, such as setting an action of alert for all scan types.
Attach appropriate Zone Protection profiles meeting these criteria to all zones. Separate Zone Protection profiles for trusted and untrusted zones is a best practice.
Rationale:
Port scans and host sweeps are common in the reconnaissance phase of an attack. Bots scouring the Internet in search of a vulnerable target may also scan for open ports and available hosts. Reconnaissance Protection will allow for these attacks to be either alerted on or blocked altogether.
Impact:
Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks."
solution : "Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
Set TCP Port Scan to enabled, its Action to block-ip, its Interval to 5, and its Threshold to 20. For block-ip, set the 'Track By' is set to source and 'Duration' is set to 600 seconds.
Set Host Sweep to enabled, its Action to block, its Interval to 10, and its Threshold to 30.
Set UDP Port Scan to enabled, its Action to alert, its Interval to 10, and its Threshold to 20.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|12.4,CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Action set to Block-IP."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance TCP Track By set to Source."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance TCP Track By set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance TCP Duration set to 600."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance TCP Duration set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance TCP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Action set to Block."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance Host Sweep Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance Host Sweep Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Action set to Alert."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Action set incorrectly."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Interval set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Reconnaissance UDP Port Scan Threshold set to ''."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Reconnaissance TCP Port Scan found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Reconnaissance Host Sweep found"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Reconnaissance UDP Port Scan found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets"
info : "For all zones, attach a Zone Protection Profile that is configured to drop packets with a spoofed IP address or a mismatched overlapping TCP segment, and packets with malformed, strict source routing, or loose source routing IP options set.
Rationale:
Using specially crafted packets, an attacker may attempt to evade or diminish the effectiveness of network security devices. Enabling the options in this recommendation lowers the risk of these attacks.
Impact:
Not configuring a Network Zone Protection Profile leaves an organization exposed to common attacks and reconnaissance from untrusted networks."
solution : "Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Packet Based Attack Protection > TCP/IP Drop.
Set Spoofed IP address to be checked.
Set Mismatched overlapping TCP segment to be checked.
Under IP Option Drop, set Strict Source Routing, Loose Source Routing, and Malformed to all be checked. Additional options may also be set if desired.
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-171|3.13.5,800-53|CA-9,800-53|SC-7,800-53r5|CA-9,800-53r5|SC-7,CN-L3|8.1.10.6(j),CSCv7|13.3,CSCv8|13.4,CSF|DE.CM-1,CSF|ID.AM-3,CSF|PR.AC-5,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|ID.AM-03,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,GDPR|32.1.d,GDPR|32.2,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7,LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|4.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|2.1,TBA-FIISB|43.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Packet Based Attack Protection / Spoofed IP address enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Packet Based Attack Protection / Spoofed IP address disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Packet Based Attack Protection / Strict Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Packet Based Attack Protection / Strict Source Routing disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Packet Based Attack Protection / Loose Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Packet Based Attack Protection / Loose Source Routing enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Packet Based Attack Protection / Malformed enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Packet Based Attack Protection / Malformed disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Zone Protection Profile '' has Packet Based Attack Protection / Mismatched Overlapping TCP Segment enabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Zone Protection Profile '' has Packet Based Attack Protection / Mismatched Overlapping TCP Segment disabled."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Packet Based Attack Protection / Spoofed IP address"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Packet Based Attack Protection / Strict Source Routing"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Packet Based Attack Protection / Loose Source Routing"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Packet Based Attack Protection / Malformed"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Zone Protection Profiles using Packet Based Attack Protection / Mismatched Overlapping TCP Segment"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "6.19 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories"
info : "Ideally user names and passwords user within an organization are not used with third party sites. Some sanctioned SAS applications may have connections to the corporate domain, in which case they will need to be exempt from the user credential submission policy through a custom URL category.
Rationale:
Preventing users from having the ability to submit their corporate credentials to the Internet could stop credential phishing attacks and the potential that a breach at a site where a user reused credentials could lead to a credential stuffing attack.
Impact:
Not preventing users from submitting their corporate credentials to the Internet can leave them open to phishing attacks or allow for credential reuse on unauthorized sites. Using internal email accounts provides malicious actors with intelligence information, which can be used for phishing, credential stuffing and other attacks. Using internal passwords will often provide authenticated access directly to sensitive information. Not only that, but a pattern of credential re-use can expose personal information from multiple online sources."
solution : "Navigate to Objects > Security Profiles > URL Filtering.
Choose the Categories tab. Set the User Credential Submitting action on all enabled URL categories is either block or continue, as appropriate to your organization and the category.
Under the User Credential Detection tab set the User Credential Detection value to a setting appropriate to your organization, any value except Disabled. Set the Log Severity to a value appropriate to your organization and your logging or SIEM solution.
Default Value:
Not Configured"
reference : "800-53|SI-8,800-53r5|SI-8,CSCv7|7.4,CSCv8|9.2,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|SI-8,LEVEL|1A,QCSC-v1|3.2,QCSC-v1|8.2.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - IP User Mapping not set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - IP User Mapping set"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "6.20 Ensure that 'Wildfire Inline ML Action' on antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'"
info : "Configure 'Wildfire Inline ML Action' on antivirus profiles to a value of 'reset-both' for all decoders except imap and pop3 under 'Wildfire Inline ML Action'. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under 'Wildfire Inline ML Action'.
Rationale:
Starting from PanOS 10, Wildfire supports real-time detection and blocking. As more attacks are designed to bypass signature-based protection, real-time signatureless-based protection is needed. Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages."
solution : "Navigate to Objects > Security Profiles > Antivirus
Set antivirus profiles to have all decoders set to reset-both for Wildfire Inline ML Action. If imap and pop3 are required in the organization, set the imap and pop3 decoders are set to alert for Wildfire Inline ML Action.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security Profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Security Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types"
info : "Configure 'Wildfire Inline ML' on antivirus profiles to a value of 'enable' for all file types.
Rationale:
Starting from PanOS 10, Wildfire supports real-time detection and blocking. As more attacks are designed to bypass signature-based protection, real-time signatureless-based protection is needed. With this new functionality, common file types used for malware delivery such as Windows Executables, PowerShell Script, MSOffice, Shell, and Executable Linked Format (ELF) can be inspected using Wildfire and malicious files are blocked in real-time."
solution : "Navigate to Objects > Security Profiles > Antivirus
Go to Wildfire Inline ML tab. Set enable (inherit per-protocol actions) for all Model on Action Setting.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable 'Inline Cloud Analysis' on Vulnerability Protection profiles to combat zero-day threats.
Rationale:
Starting from PanOS 11, Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources.
It is recommended to set the action as 'alert' during initial deployment and monitor it's false positive, configure the exclusion URL and IP before moving to 'reset-both' action."
solution : "Navigate to Objects > Security Profiles > Vulnerability Protection
Go to Inline Cloud Analysis tab. Tick the checkbox for Enable cloud inline analysis. Verify that all Model action is set as alert.
Note that, firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before 'Inline Cloud Analysis' can be used. Refer to reference for detailed guide.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|3.1,CSCv7|3.2,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Vulnerability Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Vulnerability Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.23 Ensure that 'Cloud Inline Categorization' on URL Filtering profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable both 'Local Inline Categorization' and 'Cloud Inline Categorization' on URL Filtering profiles to evaluate suspicious web page contents in real-time to protect users against zero-day threats.
Rationale:
Starting from PanOS 10, Palo Alto Networks Advanced URL Filtering now operates a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time to protect users against zero-day threats. This includes cloaked websites, multi-step attacks, CAPTCHA challenges, and previously unseen one-time-use URLs."
solution : "Navigate to Objects > Security Profiles > URL Filtering
Go to Inline Categorization tab. Tick the checkbox for both Enable local inline categorization and Enable cloud inline categorization.
Note that:
Firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before 'Inline Cloud Analysis' can be used. Refer to reference for detailed guide.
'Local Inline Categorization' can be enabled with just the URL Filtering license (no Advanced Threat Prevention is needed).
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : "URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Local Inline Categorization is disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Local Inline Categorization is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Cloud Inline Categorization is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Cloud Inline Categorization is disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable 'Inline Cloud Analysis' on Anti-Spyware profiles to detect and protection against advanced, highly-evasive zero-day command-and-control (C2) threats.
Rationale:
Starting from PanOS 10, Palo Alto Networks now operates a series of ML-based detection engines in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources.
The cloud-based detection engine logic is continuously monitored and updated using C2 traffic datasets from WildFire, with additional support through manual updates by Palo Alto Networks threat researchers, who provide human intervention for highly accurized detection enhancements."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware
Go to Inline Cloud Analysis tab. Tick the checkbox for Enable cloud inline analysis. Verify that all Model action is set as reset-both.
Note that, firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before Inline Cloud Analysis can be used. Refer to reference for detailed guide.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Anti-Spyware Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Policies"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Command and Control Domains"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: Command and Control Domains set to 'extended-capture'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: Command and Control Domains set to ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
description : "6.25 Ensure that 'DNS Policies' is configured on Anti-Spyware profiles if 'DNS Security' license is available"
info : "DNS security is an extensible cloud-based service capable of generating DNS signatures using advanced predictive analytics and machine learning. DNS Security protects from sophisticated DNS-based attacks.
Rationale:
DNS traffic are normally allowed on firewall. With this in mind, attackers leverage on this attack surface to evade detections or extract out data. Starting from PanOS 9, Palo Alto Networks has launched DNS Security services to combat against evassive malwares and to detect DNS tunneling activities.
For DNS Security to be effective, 'Threat Prevention' or 'Advanced Threat Prevention' license must be purchased in addition of 'DNS Security' license."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware
Go to DNS Policies tab. Configure policy action to sinkhole for all DNS Security categories.
On Command and control Domains category, set the packet capture option to extended-capture.
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|AU-2,800-53|SI-3,800-53r5|AU-2,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|7.7,CSCv7|8.3,CSCv8|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF|PR.PT-1,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.2.1,ITSG-33|AU-2,ITSG-33|SI-3,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|GS8a,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "6.20 Ensure that 'Wildfire Inline ML Action' on antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'"
info : "Configure 'Wildfire Inline ML Action' on antivirus profiles to a value of 'reset-both' for all decoders except imap and pop3 under 'Wildfire Inline ML Action'. If required by the organization's email implementation, configure imap and pop3 decoders to 'alert' under 'Wildfire Inline ML Action'.
Rationale:
Starting from PanOS 10, Wildfire supports real-time detection and blocking. As more attacks are designed to bypass signature-based protection, real-time signatureless-based protection is needed. Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages."
solution : "Navigate to Objects > Security Profiles > Antivirus
Set antivirus profiles to have all decoders set to reset-both for Wildfire Inline ML Action. If imap and pop3 are required in the organization, set the imap and pop3 decoders are set to alert for Wildfire Inline ML Action.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1M,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Profile '' meets all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Profile '' does not meet all criteria."
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types"
info : "Configure 'Wildfire Inline ML' on antivirus profiles to a value of 'enable' for all file types.
Rationale:
Starting from PanOS 10, Wildfire supports real-time detection and blocking. As more attacks are designed to bypass signature-based protection, real-time signatureless-based protection is needed. With this new functionality, common file types used for malware delivery such as Windows Executables, PowerShell Script, MSOffice, Shell, and Executable Linked Format (ELF) can be inspected using Wildfire and malicious files are blocked in real-time."
solution : "Navigate to Objects > Security Profiles > Antivirus
Go to Wildfire Inline ML tab. Set enable (inherit per-protocol actions) for all Model on Action Setting.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Security Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Policies with Antivirus profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable 'Inline Cloud Analysis' on Vulnerability Protection profiles to combat zero-day threats.
Rationale:
Starting from PanOS 11, Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources.
It is recommended to set the action as 'alert' during initial deployment and monitor it's false positive, configure the exclusion URL and IP before moving to 'reset-both' action."
solution : "Navigate to Objects > Security Profiles > Vulnerability Protection
Go to Inline Cloud Analysis tab. Tick the checkbox for Enable cloud inline analysis. Verify that all Model action is set as alert.
Note that, firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before 'Inline Cloud Analysis' can be used. Refer to reference for detailed guide.
Default Value:
Not Configured"
reference : "800-171|3.11.2,800-171|3.11.3,800-53|RA-5,800-53r5|RA-5,CSCv7|3.1,CSCv7|3.2,CSCv8|7.5,CSF|DE.CM-8,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.IP-12,CSF|RS.CO-3,CSF|RS.MI-3,CSF2.0|GV.SC-10,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|ID.RA-08,GDPR|32.1.b,GDPR|32.1.d,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.6.1,ITSG-33|RA-5,LEVEL|1A,NESA|M1.2.2,NESA|M5.4.1,NESA|T7.7.1,PCI-DSSv3.2.1|6.1,PCI-DSSv4.0|6.3,PCI-DSSv4.0|6.3.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Vulnerability Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Vulnerability Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.23 Ensure that 'Cloud Inline Categorization' on URL Filtering profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable both 'Local Inline Categorization' and 'Cloud Inline Categorization' on URL Filtering profiles to evaluate suspicious web page contents in real-time to protect users against zero-day threats.
Rationale:
Starting from PanOS 10, Palo Alto Networks Advanced URL Filtering now operates a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time to protect users against zero-day threats. This includes cloaked websites, multi-step attacks, CAPTCHA challenges, and previously unseen one-time-use URLs."
solution : "Navigate to Objects > Security Profiles > URL Filtering
Go to Inline Categorization tab. Tick the checkbox for both Enable local inline categorization and Enable cloud inline categorization.
Note that:
Firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before 'Inline Cloud Analysis' can be used. Refer to reference for detailed guide.
'Local Inline Categorization' can be enabled with just the URL Filtering license (no Advanced Threat Prevention is needed).
Default Value:
Not Configured"
reference : "800-171|3.13.1,800-53|SC-7(3),800-53|SC-7(4),800-53r5|SC-7(3),800-53r5|SC-7(4),CN-L3|8.1.10.6(j),CSCv7|7.4,CSCv8|9.3,CSF|PR.AC-5,CSF|PR.PT-4,CSF2.0|DE.CM-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.13.1.3,ITSG-33|SC-7(3),ITSG-33|SC-7(4),LEVEL|1A,NESA|T4.5.4,NIAv2|GS1,NIAv2|GS2a,NIAv2|GS2b,PCI-DSSv3.2.1|1.1,PCI-DSSv3.2.1|1.2,PCI-DSSv3.2.1|1.2.1,PCI-DSSv3.2.1|1.3,PCI-DSSv4.0|1.2.1,PCI-DSSv4.0|1.4.1,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|8.2.1,SWIFT-CSCv1|1.1,TBA-FIISB|43.1,TBA-FIISB|44.1.2"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "URL Filtering Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Local Inline Categorization is disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Local Inline Categorization is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Cloud Inline Categorization is enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Cloud Inline Categorization is disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No URL Filtering Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available"
info : "Enable 'Inline Cloud Analysis' on Anti-Spyware profiles to detect and protection against advanced, highly-evasive zero-day command-and-control (C2) threats.
Rationale:
Starting from PanOS 10, Palo Alto Networks now operates a series of ML-based detection engines in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources.
The cloud-based detection engine logic is continuously monitored and updated using C2 traffic datasets from WildFire, with additional support through manual updates by Palo Alto Networks threat researchers, who provide human intervention for highly accurized detection enhancements."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware
Go to Inline Cloud Analysis tab. Tick the checkbox for Enable cloud inline analysis. Verify that all Model action is set as reset-both.
Note that, firewall device certificate is used to authenticate to the Advanced Threat Prevention inline cloud analysis service. This step is required before Inline Cloud Analysis can be used. Refer to reference for detailed guide.
Default Value:
Not Configured"
reference : "800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|SI-3,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|8.3,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),ISO/IEC-27001|A.12.2.1,ITSG-33|SI-3,LEVEL|1A,NIAv2|GS8a,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Anti-Spyware Profile ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Policies"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: - "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Anti-Spyware Profile DNS Security Command and Control Domains"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: Command and Control Domains set to 'extended-capture'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: Command and Control Domains set to ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Anti-Spyware Profiles found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
description : "6.25 Ensure that 'DNS Policies' is configured on Anti-Spyware profiles if 'DNS Security' license is available"
info : "DNS security is an extensible cloud-based service capable of generating DNS signatures using advanced predictive analytics and machine learning. DNS Security protects from sophisticated DNS-based attacks.
Rationale:
DNS traffic are normally allowed on firewall. With this in mind, attackers leverage on this attack surface to evade detections or extract out data. Starting from PanOS 9, Palo Alto Networks has launched DNS Security services to combat against evassive malwares and to detect DNS tunneling activities.
For DNS Security to be effective, 'Threat Prevention' or 'Advanced Threat Prevention' license must be purchased in addition of 'DNS Security' license."
solution : "Navigate to Objects > Security Profiles > Anti-Spyware
Go to DNS Policies tab. Configure policy action to sinkhole for all DNS Security categories.
On Command and control Domains category, set the packet capture option to extended-capture.
Default Value:
Not Configured"
reference : "800-171|3.3.1,800-171|3.3.2,800-171|3.14.2,800-171|3.14.4,800-171|3.14.5,800-53|AU-2,800-53|SI-3,800-53r5|AU-2,800-53r5|SI-3,CN-L3|7.1.3.6(b),CN-L3|8.1.4.3(a),CN-L3|8.1.4.5,CN-L3|8.1.9.6(a),CN-L3|8.1.9.6(b),CN-L3|8.1.10.5(b),CN-L3|8.1.10.7(a),CN-L3|8.1.10.7(b),CSCv7|7.7,CSCv7|8.3,CSCv8|8.6,CSCv8|10.1,CSF|DE.CM-4,CSF|DE.DP-3,CSF|PR.PT-1,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,CSF2.0|PR.PS-04,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ISO/IEC-27001|A.12.2.1,ITSG-33|AU-2,ITSG-33|SI-3,LEVEL|1M,NESA|M1.2.2,NESA|M5.5.1,NIAv2|AM7,NIAv2|AM11a,NIAv2|AM11b,NIAv2|AM11c,NIAv2|AM11d,NIAv2|AM11e,NIAv2|GS8a,NIAv2|SS30,NIAv2|VL8,PCI-DSSv3.2.1|5.1,PCI-DSSv3.2.1|5.1.1,PCI-DSSv4.0|5.2.1,QCSC-v1|3.2,QCSC-v1|5.2.3,QCSC-v1|8.2.1,QCSC-v1|13.2,SWIFT-CSCv1|6.4,TBA-FIISB|49.2.1,TBA-FIISB|49.2.2,TBA-FIISB|49.3.1,TBA-FIISB|49.3.2,TBA-FIISB|50.2.1,TBA-FIISB|51.2.4,TBA-FIISB|51.2.7"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone"
info : "When permitting traffic from an untrusted zone, such as the Internet or guest network, to a more trusted zone, such as a DMZ segment, create security policies specifying which specific applications are allowed.
**Enhanced Security Recommendation: ** Require specific application policies when allowing any traffic, regardless of the trust level of a zone. Do not rely solely on port permissions. This may require SSL interception, and may also not be possible in all environments.
Rationale:
To avoid unintentionally exposing systems and services, rules allowing traffic from untrusted zones to trusted zones should be as specific as possible. Application-based rules, as opposed to service/port rules, further tighten what traffic is allowed to pass. Similarly, traffic from trusted to untrusted networks should have a security policy set, with application-based rules. A 'catch-all' rule that allows all applications will also allow malware traffic. The goal should be to understand both inbound and outbound traffic, permit what is known, and block all other traffic.
Impact:
Setting application based rules on both inbound and outbound traffic ensures that the traffic on the protocol and port being specified is actually the application that you expect. For outbound traffic, the days of 'we trust our users' is well past us, that statement also implies that we trust the malware on the user workstations, which is obviously not the case.
For traffic from trusted to less trusted interfaces, the applications should be characterized over time, with the end goal being that all applications in in the rules, and a final 'block all' rule is in place. Not having this goal gives both attackers and malware the leeway they need to accomplish their goals.
Trusting only Port permissions to control traffic exposes an organization to 'tunneling' style attacks that can exfiltrate data or facilitate Command and Control (C2) sessions.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Policies > Security.
For all Security Policies that transit from a less trusted to a more trusted interface, set the Application and Service values to match the exposed application. For instance, for a web server exposed to the internet from a DMZ:
Source tab: Zone set to OUTSIDE / Address set to Any
Destination tab: Zone set to DMZ / Address set to [DMZ Host Object]
Application tab: set to web-browsing
Service/URL Category tab: set Service to ether:
application-default
or:
service-http and/or service-https
**Enhanced Security Recommendation: **
Set these values for Policies on all Interfaces, for traffic in all directions. For each Security Policy, set the Application and Service values to match the exposed application.
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,LEVEL|2A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : " Verify application security policy exists for traffic from untrusted to trusted zones"
xsl_stmt : ""
xsl_stmt : " Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No Security Policies found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist"
info : "Create security policies specifying application-default for the Service setting, in addition to the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.
Rationale:
App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.
Because of how App-ID works, configuring the service setting to 'Any' allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic."
solution : "Navigate to Policies > Security.
For each exposed host, set a Security Policy exists with:
Source tab: Zone set to OUTSIDE Address set to any
Destination tab: Zone set to DMZ / Address set to
Application tab: Application set to web-browsing (or appropriate application)
Service tab: Service set to application-default. The value of any should never be used
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|9.2,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Security Profile '' has a Service setting of 'ANY'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security Profile '' does not have a Service setting of 'ANY'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Security Profiles found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists"
info : "Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.
Note: This recommendation (as written) requires a Palo Alto Networks 'Threat Prevention License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose.
Rationale:
Creating rules that block traffic to/from known malicious sites from Trusted Threat Intelligence Sources protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
Impact:
While not foolproof, simply blocking traffic from known malicious hosts allows more resources to be devoted to analyzing traffic from other sources for malicious content. This approach is a recommended part of most 'Defense in Depth' recommendations, allowing defenders to focus more deeply on traffic from uncategorized sources."
solution : "Navigate to Policies > Security
Create a Security Policy similar to:
General tab: Name set to Deny to Malicious IP
Source tab: Source Zone set to Any,
Destination tab: Destination Zone set to Any, Destination Address set to Palo Alto Networks - Known malicious IP addresses,Palo Alto Networks - High risk IP addresses, Palo Alto Networks - Tor exit IP addresses, Palo Alto Networks - Bulletproof IP addresses
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Create a Security Policy similar to:
General tab: Name set to Deny from Malicious IP
Source tab: Source Zone set to Any, Source Address set to Palo Alto Networks - Known malicious IP addresses,Palo Alto Networks - High risk IP addresses, Palo Alto Networks - Tor exit IP addresses, Palo Alto Networks - Bulletproof IP addresses
Destination tab: Destination Zone set to Any
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Note: This recommendation requires a Palo Alto Networks 'Threat Prevention License'
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|12.3,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Does not meet criteria - Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No Security Policies found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Passed"
type : AUDIT_XML
description : "7.4 Ensure that logging is enabled on built-in default security policies"
info : "Enable logging on built-in default security policies 'intrazone-default' and 'interzone-default'
Rationale:
By default, these default security policies does not have logging enabled. This enables SOC or security analyst to do further investigations on security incidents especially on threat hunting or incident response activities."
solution : "Navigate to Policies > Security
Go to default policies intrazone-default and interzone-default. On Actions tab, enable Log at Session End on log setting.
Default Value:
Disabled"
reference : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53|SI-4(4),800-53r5|SI-4,800-53r5|SI-4(4),CN-L3|7.1.2.2(c),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|6.3,CSCv8|13.6,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,CSF2.0|DE.AE-02,CSF2.0|DE.AE-03,CSF2.0|DE.CM-01,CSF2.0|DE.CM-06,CSF2.0|DE.CM-09,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,ITSG-33|SI-4(4),LEVEL|1M,NESA|M1.2.2,NIAv2|NS32,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|6.5"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: interzone-default - Log at Session End enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: interzone-default - Log at Session End disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: intrazone-default - Log at Session End enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: intrazone-default - Log at Session End disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone"
info : "When permitting traffic from an untrusted zone, such as the Internet or guest network, to a more trusted zone, such as a DMZ segment, create security policies specifying which specific applications are allowed.
**Enhanced Security Recommendation: ** Require specific application policies when allowing any traffic, regardless of the trust level of a zone. Do not rely solely on port permissions. This may require SSL interception, and may also not be possible in all environments.
Rationale:
To avoid unintentionally exposing systems and services, rules allowing traffic from untrusted zones to trusted zones should be as specific as possible. Application-based rules, as opposed to service/port rules, further tighten what traffic is allowed to pass. Similarly, traffic from trusted to untrusted networks should have a security policy set, with application-based rules. A 'catch-all' rule that allows all applications will also allow malware traffic. The goal should be to understand both inbound and outbound traffic, permit what is known, and block all other traffic.
Impact:
Setting application based rules on both inbound and outbound traffic ensures that the traffic on the protocol and port being specified is actually the application that you expect. For outbound traffic, the days of 'we trust our users' is well past us, that statement also implies that we trust the malware on the user workstations, which is obviously not the case.
For traffic from trusted to less trusted interfaces, the applications should be characterized over time, with the end goal being that all applications in in the rules, and a final 'block all' rule is in place. Not having this goal gives both attackers and malware the leeway they need to accomplish their goals.
Trusting only Port permissions to control traffic exposes an organization to 'tunneling' style attacks that can exfiltrate data or facilitate Command and Control (C2) sessions.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Policies > Security.
For all Security Policies that transit from a less trusted to a more trusted interface, set the Application and Service values to match the exposed application. For instance, for a web server exposed to the internet from a DMZ:
Source tab: Zone set to OUTSIDE / Address set to Any
Destination tab: Zone set to DMZ / Address set to [DMZ Host Object]
Application tab: set to web-browsing
Service/URL Category tab: set Service to ether:
application-default
or:
service-http and/or service-https
**Enhanced Security Recommendation: **
Set these values for Policies on all Interfaces, for traffic in all directions. For each Security Policy, set the Application and Service values to match the exposed application.
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|14.6,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,LEVEL|2A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : "Verify application security policy exists for traffic from untrusted to trusted zones"
xsl_stmt : ""
xsl_stmt : "Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No Security Policies found"
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist"
info : "Create security policies specifying application-default for the Service setting, in addition to the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.
Rationale:
App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.
Because of how App-ID works, configuring the service setting to 'Any' allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic."
solution : "Navigate to Policies > Security.
For each exposed host, set a Security Policy exists with:
Source tab: Zone set to OUTSIDE Address set to any
Destination tab: Zone set to DMZ / Address set to
Application tab: Application set to web-browsing (or appropriate application)
Service tab: Service set to application-default. The value of any should never be used
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|9.2,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Security Profile '' has a Service setting of 'ANY'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security Profile '' does not have a Service setting of 'ANY'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Security Profiles found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
type : AUDIT_XML
description : "7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists"
info : "Create a pair of security rules at the top of the security policies ruleset to block traffic to and from IP addresses known to be malicious.
Note: This recommendation (as written) requires a Palo Alto Networks 'Threat Prevention License'. Third Party and Open Source Threat Intelligence Feeds can also be used for this purpose.
Rationale:
Creating rules that block traffic to/from known malicious sites from Trusted Threat Intelligence Sources protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
Impact:
While not foolproof, simply blocking traffic from known malicious hosts allows more resources to be devoted to analyzing traffic from other sources for malicious content. This approach is a recommended part of most 'Defense in Depth' recommendations, allowing defenders to focus more deeply on traffic from uncategorized sources."
solution : "Navigate to Policies > Security
Create a Security Policy similar to:
General tab: Name set to Deny to Malicious IP
Source tab: Source Zone set to Any,
Destination tab: Destination Zone set to Any, Destination Address set to Palo Alto Networks - Known malicious IP addresses,Palo Alto Networks - High risk IP addresses, Palo Alto Networks - Tor exit IP addresses, Palo Alto Networks - Bulletproof IP addresses
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Create a Security Policy similar to:
General tab: Name set to Deny from Malicious IP
Source tab: Source Zone set to Any, Source Address set to Palo Alto Networks - Known malicious IP addresses,Palo Alto Networks - High risk IP addresses, Palo Alto Networks - Tor exit IP addresses, Palo Alto Networks - Bulletproof IP addresses
Destination tab: Destination Zone set to Any
Application tab: Application set to Any
Service/URL Category tab: Service set to Any
Actions tab: Action set to Block, Profile Type set to None
Note: This recommendation requires a Palo Alto Networks 'Threat Prevention License'
Default Value:
Not Configured"
reference : "800-171|3.1.1,800-171|3.1.4,800-171|3.1.5,800-171|3.8.1,800-171|3.8.2,800-171|3.8.3,800-53|AC-3,800-53|AC-5,800-53|AC-6,800-53|MP-2,800-53r5|AC-3,800-53r5|AC-5,800-53r5|AC-6,800-53r5|MP-2,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CN-L3|8.1.4.2(d),CN-L3|8.1.4.2(f),CN-L3|8.1.4.11(b),CN-L3|8.1.10.2(c),CN-L3|8.1.10.6(a),CN-L3|8.5.3.1,CN-L3|8.5.4.1(a),CSCv7|12.3,CSCv8|3.3,CSF|PR.AC-4,CSF|PR.DS-5,CSF|PR.PT-2,CSF|PR.PT-3,CSF2.0|PR.AA-05,CSF2.0|PR.DS-10,CSF2.0|PR.IR-01,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),ISO/IEC-27001|A.6.1.2,ISO/IEC-27001|A.9.4.1,ISO/IEC-27001|A.9.4.5,ITSG-33|AC-3,ITSG-33|AC-5,ITSG-33|AC-6,ITSG-33|MP-2,ITSG-33|MP-2a.,LEVEL|1A,NESA|T1.3.2,NESA|T1.3.3,NESA|T1.4.1,NESA|T4.2.1,NESA|T5.1.1,NESA|T5.2.2,NESA|T5.4.1,NESA|T5.4.4,NESA|T5.4.5,NESA|T5.5.4,NESA|T5.6.1,NESA|T7.5.2,NESA|T7.5.3,NIAv2|AM1,NIAv2|AM3,NIAv2|AM23f,NIAv2|SS13c,NIAv2|SS15c,NIAv2|SS29,PCI-DSSv3.2.1|7.1.2,PCI-DSSv4.0|7.2.1,PCI-DSSv4.0|7.2.2,QCSC-v1|3.2,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|5.1,TBA-FIISB|31.1,TBA-FIISB|31.4.2,TBA-FIISB|31.4.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Does not meet criteria - Security policy: ''"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No Security Policies found"
xsl_stmt : ""
regex : ".*"
expect : "Passed"
type : AUDIT_XML
description : "7.4 Ensure that logging is enabled on built-in default security policies"
info : "Enable logging on built-in default security policies 'intrazone-default' and 'interzone-default'
Rationale:
By default, these default security policies does not have logging enabled. This enables SOC or security analyst to do further investigations on security incidents especially on threat hunting or incident response activities."
solution : "Navigate to Policies > Security
Go to default policies intrazone-default and interzone-default. On Actions tab, enable Log at Session End on log setting.
Default Value:
Disabled"
reference : "800-171|3.14.6,800-171|3.14.7,800-53|SI-4,800-53|SI-4(4),800-53r5|SI-4,800-53r5|SI-4(4),CN-L3|7.1.2.2(c),CN-L3|7.1.3.5(a),CN-L3|8.1.10.5(b),CN-L3|8.1.10.6(f),CSCv7|6.3,CSCv8|13.6,CSF|DE.AE-1,CSF|DE.AE-2,CSF|DE.AE-3,CSF|DE.AE-4,CSF|DE.CM-1,CSF|DE.CM-5,CSF|DE.CM-6,CSF|DE.CM-7,CSF|DE.DP-2,CSF|DE.DP-3,CSF|DE.DP-4,CSF|DE.DP-5,CSF|ID.RA-1,CSF|PR.DS-5,CSF|PR.IP-8,CSF|RS.AN-1,CSF|RS.CO-3,CSF2.0|DE.AE-02,CSF2.0|DE.AE-03,CSF2.0|DE.CM-01,CSF2.0|DE.CM-06,CSF2.0|DE.CM-09,CSF2.0|ID.IM-01,CSF2.0|ID.IM-02,CSF2.0|ID.IM-03,CSF2.0|ID.RA-01,CSF2.0|PR.DS-01,CSF2.0|PR.DS-02,CSF2.0|PR.DS-10,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(b),ITSG-33|SI-4,ITSG-33|SI-4(4),LEVEL|1M,NESA|M1.2.2,NIAv2|NS32,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|5.2.3,QCSC-v1|6.2,QCSC-v1|8.2.1,QCSC-v1|10.2.1,QCSC-v1|11.2,SWIFT-CSCv1|6.5"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: interzone-default - Log at Session End enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: interzone-default - Log at Session End disabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed: intrazone-default - Log at Session End enabled"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed: intrazone-default - Log at Session End disabled"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Panorama model"
api_request_type : "version"
request : ""
xsl_stmt : ""
expect : "Panorama"
type : AUDIT_XML
description : "Panorama system-mode"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
expect : "(?i)Panorama(?-i)"
type : AUDIT_XML
description : "Policies"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Passed - Decryption Profile '' is set to type 'SSL Forward Proxy'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Invalid Categories"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Passed - Decryption Profile '' is not blocking categories 'Financial Services' and 'Health and Medicine'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - Decryption Profile '' is blocking categories 'Financial Services' and/or 'Health and Medicine'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
description : "8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured"
info : "Configure SSL Forward Proxy for all traffic destined to the Internet. In most organizations, including all categories except financial-services, government and health-and-medicine is recommended.
Rationale:
Without SSL inspection, the firewall cannot apply many of its protection features against encrypted traffic. The amount of encrypted malware traffic continues to rise, and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis. As encryption on the Internet continues to grow at a rapid rate, SSL inspection is no longer optional as a practical security measure. If proper decryption is not configured, it follows that the majority of traffic is not being fully inspected for malicious content or policy violations. This is a major exposure, allowing delivery of exploits and payloads direct to user desktops.
Note that, categories to be decrypted is highly dependant on each organization's policy.
Impact:
Failure to decrypt outbound traffic allows attackers to mask attacks, data exfiltration and/or command and control (C2) traffic by simply using standard TLS encryption. Privacy concerns for your organization's users will dictate that some common categories should be exempted from inspection and decryption. Personal banking or healthcare information is almost always exempted, as are interactions with government entities. Exemptions and inclusions to decryption policies should be negotiated internally and governed by published Corporate Policies."
solution : "Navigate to Policies > Decryption.
Create a Policy for all traffic destined to the Internet. This Policy should include:
Source tab: The Source Zone and/or Source Address should include all target internal networks. Source User should include all target internal users
Destination tab: The Destination Zone should include the untrusted target zone (usually the internet). Destination Address is typically Any for an internet destination.
Service/URL Category tab: all URL Category entries should be included except financial-services, government and health-and-medicine (this list may vary depending on your organization and its policies).
Options tab: Type set to SSL Forward Proxy
Default Value:
Not Configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|12.9,CSCv7|12.10,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS"
info : "Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS.
Rationale:
Without SSL Inbound Inspection, the firewall is not able to protect SSL or TLS-enabled webservers against many threats.
Impact:
Not decrypting inbound traffic to TLS encrypted services means that inspection for many common attacks cannot occur on the firewall. This means that all defenses against these attacks are up to the host.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Policies > Decryption.
Set SSL Inbound Inspection appropriately for all untrusted traffic destined for servers using SSL or TLS.
Navigate to Policies > Decryption. For each service published to the internet (or other untrusted zones), create a Policy and set the following options:
General tab: Name set to a descriptive name
Source: Source Zone set to the target zone (Internet in many cases). Source Address set to the target address space (Any for internet traffic)
Destination tab: Destination Zone should be set to the appropriate zone, or Any. Destination Address set to the target host address
Options tab: Type set to SSL Inbound Inspection
Default Value:
Not Configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|12.9,CSCv7|12.10,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Decryption Profile '' is set to type 'SSL Inbound Inspection'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " No Decryption Profiles using 'SSL Inbound Inspection' found"
xsl_stmt : ""
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "8.3 Ensure that the Certificate used for Decryption is Trusted"
info : "The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For SSL Forward Proxy configurations, there are classes of users that need to be considered.
1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.
2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.
Rationale:
Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's 'man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type."
solution : "Set the CA Certificate(s):
Navigate to Device > Certificate Management > Certificates. Import the appropriate CA Certificates from any internal Certificate Authorities.
Alternatively, generate a self-signed certificate for an internal CA on the firewall, and then import the root certificate for that CA into the trusted CA list of target clients. In an Active Directory environment this can be facilitated using a Group Policy.
Set the Certificate Profile needed for the SSL Forward Proxy:
Navigate to Device > Certificate Management > Certificate Profile.
Set the decryption profile to include the settings described in the SSL Forward Proxy guidance in this document
Default Value:
Decryption is not enabled by default."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|12.9,CSCv7|12.10,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,LEVEL|2A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "config"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Panorama Template: "
xsl_stmt : ""
xsl_stmt : " Passed - Decryption Profile '' is set to type 'SSL Forward Proxy'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : " Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
xsl_stmt : ""
not_expect : "Failed"
type : AUDIT_XML
description : "Policies"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Decryption Profile '' is set to type 'SSL Forward Proxy'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
type : AUDIT_XML
description : "Invalid Categories"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Decryption Profile '' is not blocking categories 'Financial Services' and 'Health and Medicine'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - Decryption Profile '' is blocking categories 'Financial Services' and/or 'Health and Medicine'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
regex : "(Passed|Failed)"
not_expect : "Failed"
description : "8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured"
info : "Configure SSL Forward Proxy for all traffic destined to the Internet. In most organizations, including all categories except financial-services, government and health-and-medicine is recommended.
Rationale:
Without SSL inspection, the firewall cannot apply many of its protection features against encrypted traffic. The amount of encrypted malware traffic continues to rise, and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis. As encryption on the Internet continues to grow at a rapid rate, SSL inspection is no longer optional as a practical security measure. If proper decryption is not configured, it follows that the majority of traffic is not being fully inspected for malicious content or policy violations. This is a major exposure, allowing delivery of exploits and payloads direct to user desktops.
Note that, categories to be decrypted is highly dependant on each organization's policy.
Impact:
Failure to decrypt outbound traffic allows attackers to mask attacks, data exfiltration and/or command and control (C2) traffic by simply using standard TLS encryption. Privacy concerns for your organization's users will dictate that some common categories should be exempted from inspection and decryption. Personal banking or healthcare information is almost always exempted, as are interactions with government entities. Exemptions and inclusions to decryption policies should be negotiated internally and governed by published Corporate Policies."
solution : "Navigate to Policies > Decryption.
Create a Policy for all traffic destined to the Internet. This Policy should include:
Source tab: The Source Zone and/or Source Address should include all target internal networks. Source User should include all target internal users
Destination tab: The Destination Zone should include the untrusted target zone (usually the internet). Destination Address is typically Any for an internet destination.
Service/URL Category tab: all URL Category entries should be included except financial-services, government and health-and-medicine (this list may vary depending on your organization and its policies).
Options tab: Type set to SSL Forward Proxy
Default Value:
Not Configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|12.9,CSCv7|12.10,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1A,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
show_output : YES
type : AUDIT_XML
description : "8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS"
info : "Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL or TLS.
Rationale:
Without SSL Inbound Inspection, the firewall is not able to protect SSL or TLS-enabled webservers against many threats.
Impact:
Not decrypting inbound traffic to TLS encrypted services means that inspection for many common attacks cannot occur on the firewall. This means that all defenses against these attacks are up to the host.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance."
solution : "Navigate to Policies > Decryption.
Set SSL Inbound Inspection appropriately for all untrusted traffic destined for servers using SSL or TLS.
Navigate to Policies > Decryption. For each service published to the internet (or other untrusted zones), create a Policy and set the following options:
General tab: Name set to a descriptive name
Source: Source Zone set to the target zone (Internet in many cases). Source Address set to the target address space (Any for internet traffic)
Destination tab: Destination Zone should be set to the appropriate zone, or Any. Destination Address set to the target host address
Options tab: Type set to SSL Inbound Inspection
Default Value:
Not Configured"
reference : "800-171|3.1.13,800-171|3.5.2,800-171|3.13.8,800-53|AC-17(2),800-53|IA-5,800-53|IA-5(1),800-53|SC-8,800-53|SC-8(1),800-53r5|AC-17(2),800-53r5|IA-5,800-53r5|IA-5(1),800-53r5|SC-8,800-53r5|SC-8(1),CN-L3|7.1.2.7(g),CN-L3|7.1.3.1(d),CN-L3|8.1.2.2(a),CN-L3|8.1.2.2(b),CN-L3|8.1.4.1(c),CN-L3|8.1.4.7(a),CN-L3|8.1.4.8(a),CN-L3|8.2.4.5(c),CN-L3|8.2.4.5(d),CN-L3|8.5.2.2,CSCv7|12.9,CSCv7|12.10,CSCv8|3.10,CSF|PR.AC-1,CSF|PR.AC-3,CSF|PR.DS-2,CSF|PR.DS-5,CSF|PR.PT-4,CSF2.0|PR.AA-01,CSF2.0|PR.AA-03,CSF2.0|PR.AA-05,CSF2.0|PR.DS-02,GDPR|32.1.a,GDPR|32.1.b,HIPAA|164.306(a)(1),HIPAA|164.312(a)(1),HIPAA|164.312(a)(2)(i),HIPAA|164.312(d),HIPAA|164.312(e)(1),HIPAA|164.312(e)(2)(i),ISO/IEC-27001|A.6.2.2,ISO/IEC-27001|A.10.1.1,ISO/IEC-27001|A.13.2.3,ITSG-33|AC-17(2),ITSG-33|IA-5,ITSG-33|IA-5(1),ITSG-33|SC-8,ITSG-33|SC-8a.,ITSG-33|SC-8(1),LEVEL|1M,NESA|T4.3.1,NESA|T4.3.2,NESA|T4.5.1,NESA|T4.5.2,NESA|T5.2.3,NESA|T5.4.2,NESA|T7.3.3,NESA|T7.4.1,NIAv2|AM37,NIAv2|IE8,NIAv2|IE9,NIAv2|IE12,NIAv2|NS5d,NIAv2|NS6b,NIAv2|NS29,NIAv2|SS24,PCI-DSSv3.2.1|2.3,PCI-DSSv3.2.1|4.1,PCI-DSSv4.0|2.2.7,PCI-DSSv4.0|4.2.1,QCSC-v1|3.2,QCSC-v1|5.2.1,QCSC-v1|5.2.2,QCSC-v1|6.2,QCSC-v1|13.2,SWIFT-CSCv1|2.1,SWIFT-CSCv1|2.6,SWIFT-CSCv1|4.1,TBA-FIISB|29.1"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Decryption Profile '' is set to type 'SSL Inbound Inspection'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "No Decryption Profiles using 'SSL Inbound Inspection' found"
xsl_stmt : ""
regex : ".*"
expect : "Manual Review Required"
severity : MEDIUM
type : AUDIT_XML
description : "8.3 Ensure that the Certificate used for Decryption is Trusted"
info : "The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. For SSL Forward Proxy configurations, there are classes of users that need to be considered.
1: Users that are members of the organization, users of machines under control of the organization. For these people and machines, ensure that the CA Certificate is in one of the Trusted CA certificate stores. This is easily done in Active Directory, using Group Policies for instance. A MDM (Mobile Device Manager) can be used to accomplish the same task for mobile devices such as telephones or tablets. Other central management or orchestration tools can be used for Linux or 'IoT' (Internet of Things) devices.
2: Users that are not member of the organization - often these are classed as 'Visitors' in the policies of the organization. If a public CA Certificate is a possibility for your organization, then that is one approach. A second approach is to not decrypt affected traffic - this is easily done, but leaves the majority of 'visitor' traffic uninspected and potentially carrying malicious content. The final approach, and the one most commonly seen, is to use the same certificate as is used for the hosting organization. In this last case, visitors will see a certificate warning, but the issuing CA will be the organization that they are visiting.
Rationale:
Using a self-signed certificate, or any certificate that generates a warning in the browser, means that members of the organization have no method of determining if they are being presented with a legitimate certificate, or an attacker's 'man in the middle' certificate. It also very rapidly teaches members of the organization to bypass all security warnings of this type."
solution : "Set the CA Certificate(s):
Navigate to Device > Certificate Management > Certificates. Import the appropriate CA Certificates from any internal Certificate Authorities.
Alternatively, generate a self-signed certificate for an internal CA on the firewall, and then import the root certificate for that CA into the trusted CA list of target clients. In an Active Directory environment this can be facilitated using a Group Policy.
Set the Certificate Profile needed for the SSL Forward Proxy:
Navigate to Device > Certificate Management > Certificate Profile.
Set the decryption profile to include the settings described in the SSL Forward Proxy guidance in this document
Default Value:
Decryption is not enabled by default."
reference : "800-171|3.4.2,800-171|3.4.6,800-171|3.4.7,800-53|CM-6,800-53|CM-7,800-53r5|CM-6,800-53r5|CM-7,CSCv7|12.9,CSCv7|12.10,CSCv8|13.9,CSF|PR.IP-1,CSF|PR.PT-3,CSF2.0|DE.CM-09,CSF2.0|PR.PS-01,GDPR|32.1.b,HIPAA|164.306(a)(1),ITSG-33|CM-6,ITSG-33|CM-7,LEVEL|1A,LEVEL|2A,NIAv2|SS15a,PCI-DSSv3.2.1|2.2.2,SWIFT-CSCv1|2.3"
see_also : "https://workbench.cisecurity.org/benchmarks/17915"
api_request_type : "op"
request : ""
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Passed - Decryption Profile '' is set to type 'SSL Forward Proxy'"
xsl_stmt : ""
xsl_stmt : ""
xsl_stmt : "Failed - No Decryption Profiles using 'SSL Forward Proxy' found"
xsl_stmt : ""
regex : ".*"
not_expect : "Failed"
description : "Safeguard Palo Alto Firewall v1.2.0"
info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."
see_also : "https://workbench.cisecurity.org/benchmarks/17915"