CIS Palo Alto Firewall 11 v1.1.0 L1

Audit Details

Name: CIS Palo Alto Firewall 11 v1.1.0 L1

Updated: 11/8/2024

Authority: CIS

Plugin: Palo_Alto

Revision: 1.2

Estimated Item Count: 73

File Details

Filename: CIS_Palo_Alto_Firewall_11_Benchmark_v1.1.0_L1.audit

Size: 690 kB

MD5: 85394798c933410786a910f4434f25f1
SHA256: cd54dbdd0ba9686ca20348bd0c775f21880932cbde52caad887a6b3c524f5fd6

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured

AUDIT AND ACCOUNTABILITY

1.1.2 Ensure 'Login Banner' is set

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.1.3 Ensure 'Enable Log on High DP Load' is enabled

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management

ACCESS CONTROL

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled

ACCESS CONTROL

1.2.3 Ensure HTTP and Telnet options are disabled for the management interface

CONFIGURATION MANAGEMENT

1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles

CONFIGURATION MANAGEMENT

1.3.1 Ensure 'Minimum Password Complexity' is enabled

IDENTIFICATION AND AUTHENTICATION

1.3.2 Ensure 'Minimum Length' is greater than or equal to 12

IDENTIFICATION AND AUTHENTICATION

1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days

ACCESS CONTROL

1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3

IDENTIFICATION AND AUTHENTICATION

1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

IDENTIFICATION AND AUTHENTICATION

1.3.10 Ensure 'Password Profiles' do not exist

IDENTIFICATION AND AUTHENTICATION

1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured

ACCESS CONTROL

1.5.1 Ensure 'V3' is selected for SNMP polling

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.6.1 Ensure 'Verify Update Server Identity' is enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.6.2 Ensure redundant NTP servers are configured appropriately

AUDIT AND ACCOUNTABILITY

1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid

CONFIGURATION MANAGEMENT

2.3 Ensure that User-ID is only enabled for internal trusted interfaces

AUDIT AND ACCOUNTABILITY

2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

ACCESS CONTROL

2.6 Ensure that the User-ID service account does not have interactive logon rights

ACCESS CONTROL

2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones

ACCESS CONTROL

3.1 Ensure a fully-synchronized High Availability peer is configured

SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring

SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately

SYSTEM AND INFORMATION INTEGRITY

4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.1 Ensure that WildFire file size upload limits are maximized

SYSTEM AND INFORMATION INTEGRITY

5.2 Ensure a WildFire Analysis profile is enabled for all security policies

SYSTEM AND INFORMATION INTEGRITY

5.3 Ensure forwarding of decrypted content to WildFire is enabled

SYSTEM AND INFORMATION INTEGRITY

5.4 Ensure all WildFire session information settings are enabled

SYSTEM AND INFORMATION INTEGRITY

5.5 Ensure alerts are enabled for malicious files detected by WildFire

SYSTEM AND INFORMATION INTEGRITY

5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time

SYSTEM AND INFORMATION INTEGRITY

5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled

SYSTEM AND INFORMATION INTEGRITY

6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'

SYSTEM AND INFORMATION INTEGRITY

6.2 Ensure a secure antivirus profile is applied to all relevant security policies

SYSTEM AND INFORMATION INTEGRITY

6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats

SYSTEM AND INFORMATION INTEGRITY

6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use

SYSTEM AND INFORMATION INTEGRITY

6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet

SYSTEM AND INFORMATION INTEGRITY

6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities

RISK ASSESSMENT

6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic

RISK ASSESSMENT

6.8 Ensure that PAN-DB URL Filtering is used

SYSTEM AND COMMUNICATIONS PROTECTION

6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories

SYSTEM AND COMMUNICATIONS PROTECTION