CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0

Audit Details

Name: CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0

Updated: 4/25/2022

Authority: CIS

Plugin: Palo_Alto

Revision: 1.10

Estimated Item Count: 80

File Details

Filename: CIS_Palo_Alto_Firewall_8_Benchmark_L1_v1.0.0.audit

Size: 276 kB

MD5: c25a030851ae6f90b97001fc9847e978
SHA256: e00c0bf9698510e6114ca9b4a7c5c783a9ec6865ea14eb84d4d52307702f82aa

Audit Items

DescriptionCategories
1.1.1 Ensure 'Login Banner' is set

CONFIGURATION MANAGEMENT

1.1.2 Ensure 'Enable Log on High DP Load' is enabled

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS

SYSTEM AND COMMUNICATIONS PROTECTION

1.2.3 Ensure HTTP and Telnet options are disabled for the management interface

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY

1.3.1 Ensure 'Minimum Password Complexity' is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.3.2 Ensure 'Minimum Length' is greater than or equal to 12

IDENTIFICATION AND AUTHENTICATION

1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1

ACCESS CONTROL

1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1

ACCESS CONTROL

1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1

ACCESS CONTROL

1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1

ACCESS CONTROL

1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days

ACCESS CONTROL

1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

ACCESS CONTROL

1.3.10 Ensure 'Password Profiles' do not exist

ACCESS CONTROL

1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time

ACCESS CONTROL

1.5.1 Ensure 'V3' is selected for SNMP polling

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

1.6.1 Ensure 'Verify Update Server Identity' is enabled

CONFIGURATION MANAGEMENT

1.6.2 Ensure redundant NTP servers are configured appropriately

AUDIT AND ACCOUNTABILITY

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways

SYSTEM AND COMMUNICATIONS PROTECTION

1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals

SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure that User-ID is only enabled for internal trusted interfaces

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.6 Ensure that the User-ID service account does not have interactive logon rights

ACCESS CONTROL

2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

ACCESS CONTROL

2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

3.1 Ensure a fully-synchronized High Availability peer is configured

CONFIGURATION MANAGEMENT

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring

CONFIGURATION MANAGEMENT

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition

CONFIGURATION MANAGEMENT

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition

CONFIGURATION MANAGEMENT

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings

CONFIGURATION MANAGEMENT

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State

CONFIGURATION MANAGEMENT

4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

5.1 Ensure that WildFire file size upload limits are maximized

SYSTEM AND INFORMATION INTEGRITY

5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles

SYSTEM AND INFORMATION INTEGRITY

5.3 Ensure a WildFire Analysis profile is enabled for all security policies

SYSTEM AND INFORMATION INTEGRITY

5.4 Ensure forwarding of decrypted content to WildFire is enabled

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

5.5 Ensure all WildFire session information settings are enabled

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'

SYSTEM AND INFORMATION INTEGRITY