| 1.1.1.2 SNMPv3 traps should be configured | CIS Palo Alto Firewall 11 v1.1.0 L2 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 1.1.3 Ensure 'Enable Log on High DP Load' is enabled | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL |
| 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 1.2.5 Ensure valid certificate is set for browser-based administrator interface | CIS Palo Alto Firewall 10 v1.2.0 L2 | Palo_Alto | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.1 Ensure 'Minimum Password Complexity' is enabled | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | IDENTIFICATION AND AUTHENTICATION |
| 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL |
| 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3 | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | IDENTIFICATION AND AUTHENTICATION |
| 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL |
| 1.5.1 Ensure 'V3' is selected for SNMP polling | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 2.1 Ensure that IP addresses are mapped to usernames - Zones | CIS Palo Alto Firewall 9 v1.1.0 L2 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL |
| 2.7 Ensure remote access capabilities for the User-ID service account are forbidden. | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL |
| 3.1 Ensure a fully-synchronized High Availability peer is configured | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 3.5.1.5 Ensure ufw outbound connections are configured | CIS Ubuntu Linux 16.04 LTS Workstation L1 v2.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2.2 Ensure loopback traffic is configured - INPUT | CIS Distribution Independent Linux Workstation L1 v2.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Ensure that WildFire file size upload limits are maximized | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Ensure forwarding of decrypted content to WildFire is enabled | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure alerts are enabled for malicious files detected by WildFire | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure all WildFire session information settings are enabled | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3' | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.2 Ensure a secure antivirus profile is applied to all relevant security policies | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.12 Ensure all HTTP Header Logging options are enabled - Log Container Page | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.12 Ensure all HTTP Header Logging options are enabled - Referer | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.16 Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones | CIS Palo Alto Firewall 11 v1.1.0 L2 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.17 Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones | CIS Palo Alto Firewall 9 v1.1.0 L2 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure that logging is enabled on built-in default security policies | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3 Ensure that the Certificate used for Decryption is Trusted | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 8.3 Ensure that the Certificate used for Decryption is Trusted | CIS Palo Alto Firewall 9 v1.1.0 L2 | Palo_Alto | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 18.9.51.1.1 Ensure 'Configure Windows NTP Client' is set to 'Enabled: NT5DS' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.9.51.1.1 Ensure 'Configure Windows NTP Client' is set to 'Enabled: NT5DS' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 20.42 Ensure 'Operating System is maintained at a supported servicing level' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 20.56 Ensure 'Separate NSA-approved (Type 1) cryptography is used' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.56 Ensure 'Separate NSA-approved (Type 1) cryptography is used' (STIG DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
