1.1.3 Ensure 'Enable Log on High DP Load' is enabled
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles
1.3.1 Ensure 'Minimum Password Complexity' is enabled
1.3.10 Ensure 'Password Profiles' do not exist
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured
1.5.1 Ensure 'V3' is selected for SNMP polling
1.6.1 Ensure 'Verify Update Server Identity' is enabled
1.6.2 Ensure redundant NTP servers are configured appropriately
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid
2.3 Ensure that User-ID is only enabled for internal trusted interfaces
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
3.1 Ensure a fully-synchronized High Availability peer is configured
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
5.1 Ensure that WildFire file size upload limits are maximized
5.2 Ensure a WildFire Analysis profile is enabled for all security policies
5.3 Ensure forwarding of decrypted content to WildFire is enabled
5.4 Ensure all WildFire session information settings are enabled
5.5 Ensure alerts are enabled for malicious files detected by WildFire
5.6 Ensure 'WildFire Update Schedule' is set to download and install updates in real-time
5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled
6.1 Ensure that antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
6.10 Ensure that access to every URL is logged
6.11 Ensure all HTTP Header Logging options are enabled
6.12 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled
6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions
6.18 Ensure all zones have Zone Protection Profiles that drop specially crafted packets
6.19 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories
6.2 Ensure a secure antivirus profile is applied to all relevant security policies
6.20 Ensure that 'Wildfire Inline ML Action' on antivirus profiles are set to reset-both on all decoders except 'imap' and 'pop3'
6.21 Ensure that 'Wildfire Inline ML' on antivirus profiles are set to enable for all file types
6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available
6.23 Ensure that 'Cloud Inline Categorization' on URL Filtering profiles are enabled if 'Advanced Threat Prevention' is available
6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available
6.25 Ensure that 'DNS Policies' is configured on Anti-Spyware profiles if 'DNS Security' license is available
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
6.5 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
6.6 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
6.7 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
6.9 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories
7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
7.4 Ensure that logging is enabled on built-in default security policies
8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured
8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
8.3 Ensure that the Certificate used for Decryption is Trusted
