1.1.1.1 Syslog logging should be configured | AUDIT AND ACCOUNTABILITY |
1.1.2 Ensure 'Login Banner' is set | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
1.1.3 Ensure 'Enable Log on High DP Load' is enabled | AUDIT AND ACCOUNTABILITY |
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | ACCESS CONTROL |
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled | ACCESS CONTROL |
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | CONFIGURATION MANAGEMENT |
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles | CONFIGURATION MANAGEMENT |
1.3.1 Ensure 'Minimum Password Complexity' is enabled | IDENTIFICATION AND AUTHENTICATION |
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 | IDENTIFICATION AND AUTHENTICATION |
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days | ACCESS CONTROL |
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 | IDENTIFICATION AND AUTHENTICATION |
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords | IDENTIFICATION AND AUTHENTICATION |
1.3.10 Ensure 'Password Profiles' do not exist | IDENTIFICATION AND AUTHENTICATION |
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | ACCESS CONTROL |
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured | ACCESS CONTROL |
1.5.1 Ensure 'V3' is selected for SNMP polling | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
1.6.1 Ensure 'Verify Update Server Identity' is enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
1.6.2 Ensure redundant NTP servers are configured appropriately | AUDIT AND ACCOUNTABILITY |
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid | CONFIGURATION MANAGEMENT |
2.3 Ensure that User-ID is only enabled for internal trusted interfaces | AUDIT AND ACCOUNTABILITY |
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled | ACCESS CONTROL |
2.6 Ensure that the User-ID service account does not have interactive logon rights | ACCESS CONTROL |
2.7 Ensure remote access capabilities for the User-ID service account are forbidden. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones | ACCESS CONTROL |
3.1 Ensure a fully-synchronized High Availability peer is configured | SYSTEM AND INFORMATION INTEGRITY |
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring | SYSTEM AND INFORMATION INTEGRITY |
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately | SYSTEM AND INFORMATION INTEGRITY |
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
5.1 Ensure that WildFire file size upload limits are maximized | SYSTEM AND INFORMATION INTEGRITY |
5.2 Ensure a WildFire Analysis profile is enabled for all security policies | SYSTEM AND INFORMATION INTEGRITY |
5.3 Ensure forwarding of decrypted content to WildFire is enabled | SYSTEM AND INFORMATION INTEGRITY |
5.4 Ensure all WildFire session information settings are enabled | SYSTEM AND INFORMATION INTEGRITY |
5.5 Ensure alerts are enabled for malicious files detected by WildFire | SYSTEM AND INFORMATION INTEGRITY |
5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time | SYSTEM AND INFORMATION INTEGRITY |
5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | SYSTEM AND INFORMATION INTEGRITY |
6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3' | SYSTEM AND INFORMATION INTEGRITY |
6.2 Ensure a secure antivirus profile is applied to all relevant security policies | SYSTEM AND INFORMATION INTEGRITY |
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats | SYSTEM AND INFORMATION INTEGRITY |
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use | SYSTEM AND INFORMATION INTEGRITY |
6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet | SYSTEM AND INFORMATION INTEGRITY |
6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities | RISK ASSESSMENT |
6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic | RISK ASSESSMENT |
6.8 Ensure that PAN-DB URL Filtering is used | SYSTEM AND COMMUNICATIONS PROTECTION |
6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories | SYSTEM AND COMMUNICATIONS PROTECTION |