| 1.1 Ensure DNS server is configured | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2 Ensure intra-zone traffic is not always allowed | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.3 Disable all management related services on WAN port | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.1 Ensure 'Pre-Login Banner' is set - enable | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.1 Ensure 'Pre-Login Banner' is set - warning message | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.2 Ensure 'Post-Login-Banner' is set - enable | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.2 Ensure 'Post-Login-Banner' is set - warning message | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.3 Ensure timezone is properly configured | AUDIT AND ACCOUNTABILITY |
| 2.1.4 Ensure correct system time is configured through NTP | AUDIT AND ACCOUNTABILITY |
| 2.1.5 Ensure hostname is set | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.1.10 Ensure management GUI listens on secure TLS version | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.1 Ensure 'Password Policy' is enabled | IDENTIFICATION AND AUTHENTICATION |
| 2.2.2 Ensure administrator password retries and lockout time are configured | ACCESS CONTROL |
| 2.4.1 Ensure default 'admin' password is changed | IDENTIFICATION AND AUTHENTICATION |
| 2.4.2 Ensure all the login accounts having specific trusted hosts enabled | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 2.4.3 Ensure admin accounts with different privileges have their correct profiles assigned | ACCESS CONTROL |
| 2.4.4 Ensure idle timeout time is configured | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.4.5 Ensure only encrypted access channels are enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4.6 Apply Local-in Policies | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4.7 Ensure default Admin ports are changed | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.2 Ensure 'Monitor Interfaces' for High Availability devices is enabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.5.3 Ensure HA Reserved Management Interface is configured | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.2 Ensure that policies do not use 'ALL' as Service - ALL as Service | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3 Ensure firewall policy denying all traffic to/from Tor, malicious server, or scanner IP addresses using ISDB | ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4 Ensure logging is enabled on all firewall policies | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.1.2 Apply IPS Security Profile to Policies | RISK ASSESSMENT |
| 4.3.2 Ensure DNS Filter logs all DNS queries and responses | AUDIT AND ACCOUNTABILITY |
| 4.3.3 Apply DNS Filter Security Profile to Policies | SYSTEM AND INFORMATION INTEGRITY |
| 4.4.1 Block high risk categories on Application Control | ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.3 Ensure all Application Control related traffic is logged | SYSTEM AND INFORMATION INTEGRITY |
| 4.4.4 Apply Application Control Security Profile to Policies | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Enable Compromised Host Quarantine | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
