CIS Palo Alto Firewall 11 v1.0.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Palo Alto Firewall 11 v1.0.0 L1

Updated: 7/29/2024

Authority: CIS

Plugin: Palo_Alto

Revision: 1.5

Estimated Item Count: 72

File Details

Filename: CIS_Palo_Alto_Firewall_11_Benchmark_v1.0.0_L1.audit

Size: 575 kB

MD5: 7406268dd6078788743349bf0fd9149b
SHA256: 83c84ec64859d05dfc5e807f7f5d4a53ea2948935869084e1562b92a75ef2ead

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured
1.1.2 Ensure 'Login Banner' is set
1.1.3 Ensure 'Enable Log on High DP Load' is enabled
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles
1.3.1 Ensure 'Minimum Password Complexity' is enabled
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
1.3.10 Ensure 'Password Profiles' do not exist
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured
1.5.1 Ensure 'V3' is selected for SNMP polling
1.6.1 Ensure 'Verify Update Server Identity' is enabled
1.6.2 Ensure redundant NTP servers are configured appropriately
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid
2.3 Ensure that User-ID is only enabled for internal trusted interfaces
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
2.6 Ensure that the User-ID service account does not have interactive logon rights
2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
3.1 Ensure a fully-synchronized High Availability peer is configured
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
5.1 Ensure that WildFire file size upload limits are maximized
5.2 Ensure a WildFire Analysis profile is enabled for all security policies
5.3 Ensure forwarding of decrypted content to WildFire is enabled
5.4 Ensure all WildFire session information settings are enabled
5.5 Ensure alerts are enabled for malicious files detected by WildFire
5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time
6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
6.2 Ensure a secure antivirus profile is applied to all relevant security policies
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
6.8 Ensure that PAN-DB URL Filtering is used
6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories
6.10 Ensure that access to every URL is logged