Detections
Analytics

CIS Palo Alto Firewall 9 v1.0.1 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Palo Alto Firewall 9 v1.0.1 L1

Updated: 6/27/2023

Authority: CIS

Plugin: Palo_Alto

Revision: 1.4

Estimated Item Count: 82

File Details

Filename: CIS_Palo_Alto_Firewall_9_Benchmark_v1.0.1_L1.audit

Size: 262 kB

MD5: 642576a8ca5de73f9927dcfb6f950e3e
SHA256: e5e011e92990adea3f6e917794f55eb2d516062542303eb248fee3127ebb8e8c

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured - configuration
1.1.1.1 Syslog logging should be configured - hip match
1.1.1.1 Syslog logging should be configured - host
1.1.1.1 Syslog logging should be configured - ip-tag
1.1.1.1 Syslog logging should be configured - system
1.1.1.1 Syslog logging should be configured - user-id
1.1.2 Ensure 'Login Banner' is set
1.1.3 Ensure 'Enable Log on High DP Load' is enabled
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet
1.3.1 Ensure 'Minimum Password Complexity' is enabled
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
1.3.10 Ensure 'Password Profiles' do not exist
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
1.5.1 Ensure 'V3' is selected for SNMP polling
1.6.1 Ensure 'Verify Update Server Identity' is enabled
1.6.2 Ensure redundant NTP servers are configured appropriately
2.3 Ensure that User-ID is only enabled for internal trusted interfaces
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
2.6 Ensure that the User-ID service account does not have interactive logon rights
2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
3.1 Ensure a fully-synchronized High Availability peer is configured
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
5.1 Ensure that WildFire file size upload limits are maximized
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
5.3 Ensure a WildFire Analysis profile is enabled for all security policies
5.4 Ensure forwarding of decrypted content to WildFire is enabled
5.5 Ensure all WildFire session information settings are enabled
5.6 Ensure alerts are enabled for malicious files detected by WildFire - log-type 'wildfire'