1.1.1.2 SNMPv3 traps should be configured - user-id

Information

SNMP v3 can be used for remote logging, and is the recommended protocol in higher security situations as it fully supports encryption of logs.

Rationale:

Sending all system logs to a remote host is recommended to provide protected, long term storage and archiving. This also places a copy of the logs in a second location, in case the primary (on the firewall) logs are compromised. Storing logs on a remote host also allows for more flexible log searches and log processing, as well as many methods of triggering events or scripts based on specific log events or combinations of events. Finally, remote logging provides many organizations with the opportunity to combine logs from disparate infrastructure in a SIEM (Security Information and Event Management) system.

Logging to an external system is also usually required by most regulatory frameworks.

Impact:

Failure to properly store and archive logs for critical infrastructure leaves an organization without the tools required to establish trends in events or activity, or to retrospectively analyze security or operational events beyond the log timespan stored on the firewall. Not having remote logs also puts many organizations outside of compliance with many regulatory frameworks. Finally, not logging to a remote host leaves organizations without recourse in the event of a compromise of logs on the primary device. It is imperative that organizations log critical infrastructure appropriately, store and archive these logs in a central location, and have a robust set of tools to analyze logs both in real time and after the fact. Not encrypting log data as it transits the network allows an attacker to mount a 'MiTM' (Monkey in the Middle) attack, which allows them to intercept and/or modify logs as they transit from the source to the destination.

Solution

Navigate to Device > Server Profiles > SNMP Trap
Choose Add
Assign a Name to the Profile, and specify version V3. Choose Add, and assign a server name in the Name field, add an IP address or FQDN in the SNMP Manager field. Edit the Password fields as appropriate for your server.
Repeat if multiple Syslog destinations are required.
Navigate to Device > Log Settings
Under System, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a SNMP Profile in the SNMP section. Ensure that at least one of the Log Settings Configuration entries has its Filter setting at All Logs
Under Configuration, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a SNMP Profile in the SNMP section. Ensure that at least one of the Log Settings Configuration entries has its Filter setting at All Logs
Under User-ID, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a SNMP Profile in the SNMP section. Ensure that at least one of the Log Settings Configuration entries has its Filter setting at All Logs
Under HIP Match (Host Information Profile), add an entry. Define a Name and a Filter setting. Under Forward Methods, add a SNMP Profile in the SNMP section. Ensure that at least one of the Log Settings Configuration entries has its Filter setting at All Logs
Under IP-Tag, add an entry. Define a Name and a Filter setting. Under Forward Methods, add a SNMP Profile in the SNMP section. Ensure that at least one of the Log Settings Configuration entries has its Filter setting at All Logs

Default Value:

By default no external logging is defined

See Also

https://workbench.cisecurity.org/files/3754

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-1, 800-53|AU-2, CSCv7|6.2

Plugin: Palo_Alto

Control ID: f588f62ca8e9665286c321142d3b093e7614c78abe8da52b19516c57de24760b