Jun 25, 2025 Functional Update- 6.12 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
- 6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled
- 6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
- 6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
Miscellaneous- Metadata updated.
- References updated.
- Variables updated.
|
Nov 8, 2024 Functional Update- 1.1.1.1 Syslog logging should be configured
- 1.1.2 Ensure 'Login Banner' is set
- 1.1.3 Ensure 'Enable Log on High DP Load' is enabled
- 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
- 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled
- 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
- 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles
- 1.3.1 Ensure 'Minimum Password Complexity' is enabled
- 1.3.10 Ensure 'Password Profiles' do not exist
- 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
- 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
- 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
- 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
- 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
- 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
- 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
- 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
- 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
- 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured
- 1.5.1 Ensure 'V3' is selected for SNMP polling
- 1.6.1 Ensure 'Verify Update Server Identity' is enabled
- 1.6.2 Ensure redundant NTP servers are configured appropriately
- 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid
- 2.3 Ensure that User-ID is only enabled for internal trusted interfaces
- 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
- 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
- 3.1 Ensure a fully-synchronized High Availability peer is configured
- 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
- 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately
- 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
- 5.1 Ensure that WildFire file size upload limits are maximized
- 5.2 Ensure a WildFire Analysis profile is enabled for all security policies
- 5.3 Ensure forwarding of decrypted content to WildFire is enabled
- 5.4 Ensure all WildFire session information settings are enabled
- 5.5 Ensure alerts are enabled for malicious files detected by WildFire
- 5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time
- 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled
- 6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
- 6.10 Ensure that access to every URL is logged
- 6.11 Ensure all HTTP Header Logging options are enabled
- 6.12 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
- 6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled
- 6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
- 6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
- 6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions
- 6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets
- 6.19 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories
- 6.2 Ensure a secure antivirus profile is applied to all relevant security policies
- 6.20 Ensure that 'Wildfire Inline ML Action' on antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
- 6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types
- 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available
- 6.23 Ensure that 'Cloud Inline Categorization' on URL Filtering profiles are enabled if 'Advanced Threat Prevention' is available
- 6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available
- 6.25 Ensure that 'DNS Policies' is configured on Anti-Spyware profiles if 'DNS Security' license is available
- 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
- 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
- 6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
- 6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
- 6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
- 6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories
- 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
- 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
- 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
- 7.4 Ensure that logging is enabled on built-in default security policies
- 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured
- 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
- 8.3 Ensure that the Certificate used for Decryption is Trusted
|
Oct 1, 2024 Functional Update- 6.2 Ensure a secure antivirus profile is applied to all relevant security policies
- 6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
- 6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
|
