Detections
Analytics

CIS Palo Alto Firewall 11 v1.1.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Palo Alto Firewall 11 v1.1.0 L1

Updated: 12/22/2025

Authority: CIS

Plugin: Palo_Alto

Revision: 1.4

Estimated Item Count: 73

File Details

Filename: CIS_Palo_Alto_Firewall_11_Benchmark_v1.1.0_L1.audit

Size: 603 kB

MD5: a247df0545cc2dc1c3ee5d49479b615a
SHA256: 935d81bafb7297e1c3fc2e81e87816e9e4e56e8754552acfcea8afa692b3da9d

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured
1.1.2 Ensure 'Login Banner' is set
1.1.3 Ensure 'Enable Log on High DP Load' is enabled
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles
1.3.1 Ensure 'Minimum Password Complexity' is enabled
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
1.3.10 Ensure 'Password Profiles' do not exist
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured
1.5.1 Ensure 'V3' is selected for SNMP polling
1.6.1 Ensure 'Verify Update Server Identity' is enabled
1.6.2 Ensure redundant NTP servers are configured appropriately
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid
2.3 Ensure that User-ID is only enabled for internal trusted interfaces
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
2.6 Ensure that the User-ID service account does not have interactive logon rights
2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
3.1 Ensure a fully-synchronized High Availability peer is configured
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
5.1 Ensure that WildFire file size upload limits are maximized
5.2 Ensure a WildFire Analysis profile is enabled for all security policies
5.3 Ensure forwarding of decrypted content to WildFire is enabled
5.4 Ensure all WildFire session information settings are enabled
5.5 Ensure alerts are enabled for malicious files detected by WildFire
5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time
5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled
6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
6.2 Ensure a secure antivirus profile is applied to all relevant security policies
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
6.8 Ensure that PAN-DB URL Filtering is used
6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories