| 1.1.1 Enable 'aaa new-model' | CIS Cisco IOS 15 L1 v4.1.1 | Cisco | ACCESS CONTROL |
| 1.1.4 Set 'login authentication for 'line con 0' | CIS Cisco IOS 15 L1 v4.1.1 | Cisco | ACCESS CONTROL |
| 1.1.5 Ensure 'Password Policy' is enabled - minimum-numeric | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 1.1.5 Ensure 'Password Policy' is enabled - minimum-special | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 1.1.5 Set 'login authentication for 'line tty' | CIS Cisco IOS 15 L1 v4.1.1 | Cisco | ACCESS CONTROL |
| 1.2.4 Ensure 'Unused Interfaces' is disable | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.4.1.2 Ensure 'local username and password' is set | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | ACCESS CONTROL |
| 1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctly | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | ACCESS CONTROL |
| 1.4.5.1 Ensure 'aaa command accounting' is configured correctly | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.5.3 Ensure 'LOGIN banner' is set | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | AWARENESS AND TRAINING |
| 1.5.3 Ensure 'LOGIN banner' is set | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | AWARENESS AND TRAINING |
| 1.6.5 Ensure 'Telnet' is disabled | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.6.5 Ensure 'Telnet' is disabled | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS access | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.9.1.1 Ensure 'NTP authentication' is enabled | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | AUDIT AND ACCOUNTABILITY |
| 1.9.1.3 Ensure 'trusted NTP server' exists | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | AUDIT AND ACCOUNTABILITY |
| 1.9.1.3 Ensure 'trusted NTP server' exists | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.9.2 Ensure 'local timezone' is properly configured | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.10.7 Ensure 'logging with timestamps' is enabled | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | AUDIT AND ACCOUNTABILITY |
| 1.10.9 Ensure 'logging buffer size' is greater than or equal to '524288' bytes (512kb) | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | AUDIT AND ACCOUNTABILITY |
| 1.10.10 Ensure 'logging buffered severity level' is greater than or equal to '3' | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | AUDIT AND ACCOUNTABILITY |
| 1.10.12 Ensure email logging is configured for critical to emergency | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.11.1 Ensure 'snmp-server group' is set to 'v3 priv' | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.11.2 Ensure 'snmp-server user' is set to 'v3 auth SHA' | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 1.11.4 Ensure 'SNMP traps' is enabled - linkup | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 2.1.1 Ensure 'RIP authentication' is enabled | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 2.1.1 Ensure 'RIP authentication' is enabled | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | CONFIGURATION MANAGEMENT |
| 2.1.2 Ensure 'OSPF authentication' is enabled | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 2.3.1.2 Set 'ntp authentication-key' | CIS Cisco IOS XE 16.x v2.1.0 L2 | Cisco | AUDIT AND ACCOUNTABILITY |
| 2.7 Ensure internal sources are blocked on external networks | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.5 Ensure DOS protection is enabled for untrusted interfaces | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.6 Ensure 'threat-detection statistics' is set to 'tcp-intercept' | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 3.7 Ensure 'ip verify' is set to 'reverse-path' for untrusted interfaces | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| FNFG-FW-000025 - The FortiGate firewall must generate traffic log entries containing information to establish when (date and time) the events occurred. | DISA Fortigate Firewall STIG v1r3 | FortiGate | AUDIT AND ACCOUNTABILITY |
| FNFG-FW-000030 - The FortiGate firewall must generate traffic log entries containing information to establish the network location where the events occurred. | DISA Fortigate Firewall STIG v1r3 | FortiGate | AUDIT AND ACCOUNTABILITY |
| FNFG-FW-000035 - The FortiGate firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum. | DISA Fortigate Firewall STIG v1r3 | FortiGate | AUDIT AND ACCOUNTABILITY |
| FNFG-FW-000045 - In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally. - disk status|diskfull | DISA Fortigate Firewall STIG v1r3 | FortiGate | AUDIT AND ACCOUNTABILITY |
| FNFG-FW-000050 - The FortiGate firewall must protect traffic log records from unauthorized access while in transit to the central audit server. - set mode | DISA Fortigate Firewall STIG v1r3 | FortiGate | AUDIT AND ACCOUNTABILITY |
| FNFG-FW-000065 - The FortiGate firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. | DISA Fortigate Firewall STIG v1r3 | FortiGate | CONFIGURATION MANAGEMENT |
| FNFG-FW-000070 - The FortiGate firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| FNFG-FW-000075 - The FortiGate firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks. | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| FNFG-FW-000090 - The FortiGate firewall must fail to a secure state if the firewall filtering functions fail unexpectedly - fail-open | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| FNFG-FW-000110 - The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning. | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| FNFG-FW-000120 - The FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface. | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| FNFG-FW-000135 - The FortiGate firewall must be configured to inspect all inbound and outbound traffic at the application layer. | DISA Fortigate Firewall STIG v1r3 | FortiGate | CONFIGURATION MANAGEMENT |
| FNFG-FW-000145 - The FortiGate firewall must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). | DISA Fortigate Firewall STIG v1r3 | FortiGate | CONFIGURATION MANAGEMENT |
| FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected - enc-algorithm | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| FNFG-FW-000150 - The FortiGate firewall must generate an alert that can be forwarded to, at a minimum, the Information System Security Officer (ISSO) and Information System Security Manager (ISSM) when denial-of-service (DoS) incidents are detected. - set server | DISA Fortigate Firewall STIG v1r3 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
