| 1.1.1.1 Syslog logging should be configured - configuration | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - hip match | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - host | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - ip-tag | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - system | AUDIT AND ACCOUNTABILITY |
| 1.1.1.1 Syslog logging should be configured - user-id | AUDIT AND ACCOUNTABILITY |
| 1.1.2 Ensure 'Login Banner' is set | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.1.3 Ensure 'Enable Log on High DP Load' is enabled | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days | ACCESS CONTROL |
| 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 | IDENTIFICATION AND AUTHENTICATION |
| 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords | IDENTIFICATION AND AUTHENTICATION |
| 1.3.10 Ensure 'Password Profiles' do not exist | IDENTIFICATION AND AUTHENTICATION |
| 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | ACCESS CONTROL |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.5.1 Ensure 'V3' is selected for SNMP polling | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.1 Ensure 'Verify Update Server Identity' is enabled | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.2 Ensure redundant NTP servers are configured appropriately | AUDIT AND ACCOUNTABILITY |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid | CONFIGURATION MANAGEMENT |
| 2.3 Ensure that User-ID is only enabled for internal trusted interfaces | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled | ACCESS CONTROL |
| 2.6 Ensure that the User-ID service account does not have interactive logon rights | ACCESS CONTROL |
| 2.7 Ensure remote access capabilities for the User-ID service account are forbidden. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones | ACCESS CONTROL |
| 3.1 Ensure a fully-synchronized High Availability peer is configured | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Ensure that WildFire file size upload limits are maximized | SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure a WildFire Analysis profile is enabled for all security policies | SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Ensure forwarding of decrypted content to WildFire is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure all WildFire session information settings are enabled | SYSTEM AND INFORMATION INTEGRITY |
