2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled


If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing on an untrusted network.
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.

NOTE: The User-ID option is not enabled. This check is not applicable and is included for informational purposes.


Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude.
Default Value:
Not configured

See Also


Item Details


References: 800-53|SC-7(11), CSCv6|9.1

Plugin: Palo_Alto

Control ID: e62d32e20cdffd0a8da224ad9049a9990fc43f97d179b7023faf8861906fe42a