CIS Palo Alto Firewall 9 v1.1.0 L1

Audit Details

Name: CIS Palo Alto Firewall 9 v1.1.0 L1

Updated: 7/9/2024

Authority: CIS

Plugin: Palo_Alto

Revision: 1.2

Estimated Item Count: 83

File Details

Filename: CIS_Palo_Alto_Firewall_9_Benchmark_v1.1.0_L1.audit

Size: 332 kB

MD5: 9aa95c11e65e409da1e106e9bd4f9bcb
SHA256: b50ae7abf3865a39ac83ac30c84bcb9638ea9cc995f6d585546c5d87e0bf69b4

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured - configuration

AUDIT AND ACCOUNTABILITY

1.1.1.1 Syslog logging should be configured - hip match

AUDIT AND ACCOUNTABILITY

1.1.1.1 Syslog logging should be configured - host

AUDIT AND ACCOUNTABILITY

1.1.1.1 Syslog logging should be configured - ip-tag

AUDIT AND ACCOUNTABILITY

1.1.1.1 Syslog logging should be configured - system

AUDIT AND ACCOUNTABILITY

1.1.1.1 Syslog logging should be configured - user-id

AUDIT AND ACCOUNTABILITY

1.1.2 Ensure 'Login Banner' is set

AWARENESS AND TRAINING, PROGRAM MANAGEMENT

1.1.3 Ensure 'Enable Log on High DP Load' is enabled

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.3 Ensure HTTP and Telnet options are disabled for the management interface

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.3.1 Ensure 'Minimum Password Complexity' is enabled

IDENTIFICATION AND AUTHENTICATION

1.3.2 Ensure 'Minimum Length' is greater than or equal to 12

IDENTIFICATION AND AUTHENTICATION

1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1

IDENTIFICATION AND AUTHENTICATION

1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days

ACCESS CONTROL

1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3

IDENTIFICATION AND AUTHENTICATION

1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords

IDENTIFICATION AND AUTHENTICATION

1.3.10 Ensure 'Password Profiles' do not exist

IDENTIFICATION AND AUTHENTICATION

1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management

ACCESS CONTROL

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time

ACCESS CONTROL, CONFIGURATION MANAGEMENT

1.5.1 Ensure 'V3' is selected for SNMP polling

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

1.6.1 Ensure 'Verify Update Server Identity' is enabled

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.6.2 Ensure redundant NTP servers are configured appropriately

AUDIT AND ACCOUNTABILITY

1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid

CONFIGURATION MANAGEMENT

2.3 Ensure that User-ID is only enabled for internal trusted interfaces

ACCESS CONTROL, CONFIGURATION MANAGEMENT

2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled

ACCESS CONTROL

2.6 Ensure that the User-ID service account does not have interactive logon rights

ACCESS CONTROL

2.7 Ensure remote access capabilities for the User-ID service account are forbidden.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones

ACCESS CONTROL

3.1 Ensure a fully-synchronized High Availability peer is configured

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings

ACCESS CONTROL, CONFIGURATION MANAGEMENT

3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State

ACCESS CONTROL, CONFIGURATION MANAGEMENT

4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

5.1 Ensure that WildFire file size upload limits are maximized

SYSTEM AND INFORMATION INTEGRITY

5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles

SYSTEM AND INFORMATION INTEGRITY

5.3 Ensure a WildFire Analysis profile is enabled for all security policies

SYSTEM AND INFORMATION INTEGRITY

5.4 Ensure forwarding of decrypted content to WildFire is enabled

SYSTEM AND INFORMATION INTEGRITY

5.5 Ensure all WildFire session information settings are enabled

SYSTEM AND INFORMATION INTEGRITY