| 1.1.1.1 Syslog logging should be configured - configuration | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - hip match | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - host | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - ip-tag | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - system | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - user-id | AUDIT AND ACCOUNTABILITY |
| 1.1.2 Ensure 'Login Banner' is set | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.1.3 Ensure 'Enable Log on High DP Load' is enabled | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days | ACCESS CONTROL |
| 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords | IDENTIFICATION AND AUTHENTICATION |
| 1.3.10 Ensure 'Password Profiles' do not exist | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, PLANNING, PROGRAM MANAGEMENT, RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | ACCESS CONTROL |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.5.1 Ensure 'V3' is selected for SNMP polling | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.1 Ensure 'Verify Update Server Identity' is enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.2 Ensure redundant NTP servers are configured appropriately | AUDIT AND ACCOUNTABILITY |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - Certificates | CONFIGURATION MANAGEMENT |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - GlobalProtect Gateways | CONFIGURATION MANAGEMENT |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - GlobalProtect Portals | CONFIGURATION MANAGEMENT |
| 2.3 Ensure that User-ID is only enabled for internal trusted interfaces | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled | ACCESS CONTROL |
| 2.6 Ensure that the User-ID service account does not have interactive logon rights | ACCESS CONTROL |
| 2.7 Ensure remote access capabilities for the User-ID service account are forbidden. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones | ACCESS CONTROL |
| 3.1 Ensure a fully-synchronized High Availability peer is configured | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Ensure that WildFire file size upload limits are maximized | SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure a WildFire Analysis profile is enabled for all security policies | SYSTEM AND INFORMATION INTEGRITY |
