CSCv7|11

Title

Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Audit Items

Name	Plugin	Audit Name
1.1.1 Ensure 'Login Banner' is set	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.1.2 Ensure 'Login Banner' is set	Palo_Alto	CIS Palo Alto Firewall 11 v1.0.0 L1
1.1.2 Ensure 'Login Banner' is set	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.1.2 Ensure 'Login Banner' is set	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.6 Ensure maximum RAM is installed	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 11 v1.0.0 L1
1.6.1 Ensure 'Verify Update Server Identity' is enabled	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.8 Ensure Retired JUNOS Devices are Disposed of Securely	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
3.1 Ensure a fully-synchronized High Availability peer is configured	Palo_Alto	CIS Palo Alto Firewall 11 v1.0.0 L1
3.1 Ensure a fully-synchronized High Availability peer is configured	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
3.1 Ensure a fully-synchronized High Availability peer is configured	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
3.1 Ensure a fully-synchronized High Availability peer is configured	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
3.1.2 Set 'no ip proxy-arp'	Cisco	CIS Cisco IOS 17 L2 v2.0.0
3.1.2 Set 'no ip proxy-arp'	Cisco	CIS Cisco IOS 12 L2 v4.0.0
3.1.2 Set 'no ip proxy-arp'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1.2 Set 'no ip proxy-arp'	Cisco	CIS Cisco IOS 16 L2 v2.0.0
3.1.3 Set 'no interface tunnel'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
3.1.3 Set 'no interface tunnel'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
3.1.3 Set 'no interface tunnel'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1.3.1 Set Interfaces with no Peers to Passive-Interface	Cisco	CIS Cisco NX-OS L1 v1.0.0
3.1.3.1 Set Interfaces with no Peers to Passive-Interface	Cisco	CIS Cisco NX-OS L2 v1.0.0
3.1.3.2 Authenticate OSPF peers with MD5 authentication keys	Cisco	CIS Cisco NX-OS L2 v1.0.0
3.1.3.3 Log OSPF Adjacency Changes	Cisco	CIS Cisco NX-OS L1 v1.0.0
3.1.3.3 Log OSPF Adjacency Changes	Cisco	CIS Cisco NX-OS L2 v1.0.0
3.1.4 Set 'ip verify unicast source reachable-via'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1.4 Set 'ip verify unicast source reachable-via'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
3.1.4 Set 'ip verify unicast source reachable-via'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring	Palo_Alto	CIS Palo Alto Firewall 11 v1.0.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
3.2.1 Ensure VRRP authentication-key is set	Juniper	CIS Juniper OS Benchmark v2.1.0 L2
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'	Cisco	CIS Cisco IOS 16 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'	Cisco	CIS Cisco IOS 17 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'	Cisco	CIS Cisco IOS 16 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 0.0.0.0'	Cisco	CIS Cisco IOS 17 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'	Cisco	CIS Cisco IOS 16 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 10.0.0.0'	Cisco	CIS Cisco IOS 17 L2 v2.0.0
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny 127.0.0.0'	Cisco	CIS Cisco IOS 16 L2 v2.0.0

Detections

Analytics

CSCv7|11

Title

Reference Item Details

Audit Items