CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0

Audit Details

Name: CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0

Updated: 4/25/2022

Authority: CIS

Plugin: Palo_Alto

Revision: 1.10

Estimated Item Count: 78

File Details

Filename: CIS_Palo_Alto_Firewall_7_Benchmark_L1_v1.0.0.audit

Size: 241 kB

MD5: 9ed8052aff563f7678103ffcdb06df7d
SHA256: 7fb2eef55a94f746de4429cb7d80dcc7fb9b5dd9d78052d31b220fe1b600c880

Audit Items

DescriptionCategories
1.1.1 Ensure 'Login Banner' is set

ACCESS CONTROL

1.1.2 Ensure 'Enable Log on High DP Load' is enabled

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS

ACCESS CONTROL

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP

ACCESS CONTROL

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH

ACCESS CONTROL

1.2.3 Ensure HTTP and Telnet options are disabled for the Management Interface

CONFIGURATION MANAGEMENT

1.3.1 Ensure 'Minimum Password Complexity' is enabled

IDENTIFICATION AND AUTHENTICATION

1.3.2 Ensure 'Minimum Length' is greater than or equal to 12

IDENTIFICATION AND AUTHENTICATION

1.3.3 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

IDENTIFICATION AND AUTHENTICATION

1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 days

IDENTIFICATION AND AUTHENTICATION

1.3.5 Ensure 'Password Profiles' do not exist

IDENTIFICATION AND AUTHENTICATION

1.3.6 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.7 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.8 Ensure 'Minimum Numeric Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.9 Ensure 'Minimum Special Characters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.10 Ensure 'Block Username Inclusion' is enabled

IDENTIFICATION AND AUTHENTICATION

1.3.11 Ensure 'New Password Differs By Characters' is greater than or equal to 3

IDENTIFICATION AND AUTHENTICATION

1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time

ACCESS CONTROL

1.5.1 Ensure 'V3' is selected for SNMP polling

CONFIGURATION MANAGEMENT

1.6.1 Ensure 'Verify Update Server Identity' is enabled

SYSTEM AND INFORMATION INTEGRITY

1.6.2 Ensure redundant NTP servers are configured appropriately

AUDIT AND ACCOUNTABILITY

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals

SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure that User-ID is only enabled for internal trusted interfaces

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

ACCESS CONTROL

2.6 Ensure that the User-ID service account does not have interactive logon rights

ACCESS CONTROL

2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

ACCESS CONTROL

2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Ensure a fully-synchronized High Availability peer is configured

SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Enabled

SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition

SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Enabled

SYSTEM AND INFORMATION INTEGRITY

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition

SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings

SYSTEM AND INFORMATION INTEGRITY

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State

SYSTEM AND INFORMATION INTEGRITY

4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly

SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily

SYSTEM AND INFORMATION INTEGRITY

5.1 Ensure that WildFire file size upload limits are maximized

CONFIGURATION MANAGEMENT

5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles

SYSTEM AND INFORMATION INTEGRITY

5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows

SYSTEM AND INFORMATION INTEGRITY

5.4 Ensure forwarding of decrypted content to WildFire is enabled

SYSTEM AND INFORMATION INTEGRITY

5.5 Ensure all WildFire session information settings are enabled

SYSTEM AND INFORMATION INTEGRITY

5.6 Ensure alerts are enabled for malicious files detected by WildFire

SYSTEM AND INFORMATION INTEGRITY

5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every 15 minutes

SYSTEM AND INFORMATION INTEGRITY

6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'

SYSTEM AND INFORMATION INTEGRITY