| 1.1.1 Ensure 'Login Banner' is set | CONFIGURATION MANAGEMENT |
| 1.1.2 Ensure 'Enable Log on High DP Load' is enabled | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 | ACCESS CONTROL |
| 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 | ACCESS CONTROL |
| 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 | ACCESS CONTROL |
| 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1 | ACCESS CONTROL |
| 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days | ACCESS CONTROL |
| 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords | ACCESS CONTROL |
| 1.3.10 Ensure 'Password Profiles' do not exist | ACCESS CONTROL |
| 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | ACCESS CONTROL |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts | ACCESS CONTROL |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time | ACCESS CONTROL |
| 1.5.1 Ensure 'V3' is selected for SNMP polling | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.1 Ensure 'Verify Update Server Identity' is enabled | CONFIGURATION MANAGEMENT |
| 1.6.2 Ensure redundant NTP servers are configured appropriately | AUDIT AND ACCOUNTABILITY |
| 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure that User-ID is only enabled for internal trusted interfaces | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.6 Ensure that the User-ID service account does not have interactive logon rights | ACCESS CONTROL |
| 2.7 Ensure remote access capabilities for the User-ID service account are forbidden. | ACCESS CONTROL |
| 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 3.1 Ensure a fully-synchronized High Availability peer is configured | CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring | CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition | CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition | CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings | CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State | CONFIGURATION MANAGEMENT |
| 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Ensure that WildFire file size upload limits are maximized | SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure a WildFire Analysis profile is enabled for all security policies | SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Ensure forwarding of decrypted content to WildFire is enabled | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure all WildFire session information settings are enabled | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire' | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' | SYSTEM AND INFORMATION INTEGRITY |
