Nov 8, 2024 Functional Update- 1.1.1 Ensure 'Login Banner' is set
- 1.1.2 Ensure 'Enable Log on High DP Load' is enabled
- 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
- 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP
- 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH
- 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS
- 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
- 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP
- 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet
- 1.3.1 Ensure 'Minimum Password Complexity' is enabled
- 1.3.10 Ensure 'Password Profiles' do not exist
- 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
- 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
- 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
- 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
- 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
- 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
- 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
- 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
- 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
- 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
- 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
- 1.5.1 Ensure 'V3' is selected for SNMP polling
- 1.6.1 Ensure 'Verify Update Server Identity' is enabled
- 1.6.2 Ensure redundant NTP servers are configured appropriately
- 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - Certificates
- 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways
- 1.6.3 Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Portals
- 2.3 Ensure that User-ID is only enabled for internal trusted interfaces
- 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
- 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
- 2.6 Ensure that the User-ID service account does not have interactive logon rights
- 2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
- 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
- 3.1 Ensure a fully-synchronized High Availability peer is configured
- 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
- 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition
- 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition
- 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings
- 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State
- 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
- 5.1 Ensure that WildFire file size upload limits are maximized
- 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
- 5.3 Ensure a WildFire Analysis profile is enabled for all security policies
- 5.4 Ensure forwarding of decrypted content to WildFire is enabled
- 5.5 Ensure all WildFire session information settings are enabled
- 5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute
- 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
- 6.10 Ensure that URL Filtering uses the action of block or override on the URL categories
- 6.11 Ensure that access to every URL is logged
- 6.12 Ensure all HTTP Header Logging options are enabled - Log Container Page
- 6.12 Ensure all HTTP Header Logging options are enabled - Referer
- 6.12 Ensure all HTTP Header Logging options are enabled - User-Agent
- 6.12 Ensure all HTTP Header Logging options are enabled - X-Forwarded-For
- 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
- 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile
- 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Object
- 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
- 6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
- 6.18 Ensure that all zones have Zone Prot Profiles with all Recon Protection settings enabled, tuned, and set to appropriate actions
- 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets
- 6.2 Ensure a secure antivirus profile is applied to all relevant security policies
- 6.20 Ensure that User Credential Submission uses the action of block or continue on the URL categories
- 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
- 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
- 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
- 6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
- 6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulns
- 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
- 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
- 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
- 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
- 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid Categories
- 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies
- 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
- 8.3 Ensure that the Certificate used for Decryption is Trusted
Miscellaneous- Metadata updated.
- References updated.
- Variables updated.
|
Jul 9, 2024 Functional Update- 6.18 Ensure that all zones have Zone Prot Profiles with all Recon Protection settings enabled, tuned, and set to appropriate actions
Informational Update- 6.18 Ensure that all zones have Zone Prot Profiles with all Recon Protection settings enabled, tuned, and set to appropriate actions
|
Jun 17, 2024 |
Dec 22, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Jan 4, 2023 Miscellaneous- Metadata updated.
- Variables updated.
|
Dec 7, 2022 |
Apr 25, 2022 |
Mar 29, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Sep 17, 2021 Functional Update- 3.1 Ensure a fully-synchronized High Availability peer is configured
|
