PANW-NM-000015 - The Palo Alto Networks security platform must enforce the limit of three consecutive invalid logon attempts.

Information

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

Solution

Configure the authentication profile associated with the account of last resort with lockout settings of three failed attempts, which is the only local login account.

1. Go to Device >> Authentication Profile.
2. Select the configured authentication profile or select 'Add' (in the bottom-left corner of the pane) to create a new one.
3. In the 'Authentication Profile' field, enter the name of the authentication profile that will be used to control each person's authentication process.
4. The 'Lockout Time (min)' field is the lockout duration; this must be set to '15'.
5. In the 'Failed Attempts' field, enter '3'.
6. Select 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y25M04_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-228639r1082941_rule, STIG-ID|PANW-NM-000015, STIG-Legacy|SV-77195, STIG-Legacy|V-62705, Vuln-ID|V-228639

Plugin: Palo_Alto

Control ID: 94acc621c07f05bc73fc3620355b130abb7a31e3a126661cd9fdd728df163587