Detections
Analytics

CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1

Updated: 5/27/2022

Authority: Network Devices

Plugin: Palo_Alto

Revision: 1.7

Estimated Item Count: 85

Audit Items

DescriptionCategories
1.1.1.1 Syslog logging should be configured - configuration
1.1.1.1 Syslog logging should be configured - hip match
1.1.1.1 Syslog logging should be configured - host
1.1.1.1 Syslog logging should be configured - ip-tag
1.1.1.1 Syslog logging should be configured - system
1.1.1.1 Syslog logging should be configured - user-id
1.1.2 Ensure 'Login Banner' is set
1.1.3 Ensure 'Enable Log on High DP Load' is enabled
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS
1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet
1.3.1 Ensure 'Minimum Password Complexity' is enabled
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
1.3.10 Ensure 'Password Profiles' do not exist
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
1.5.1 Ensure 'V3' is selected for SNMP polling
1.6.1 Ensure 'Verify Update Server Identity' is enabled
1.6.2 Ensure redundant NTP servers are configured appropriately
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - Certificates
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - GlobalProtect Gateways
1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid - GlobalProtect Portals
2.3 Ensure that User-ID is only enabled for internal trusted interfaces
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
2.6 Ensure that the User-ID service account does not have interactive logon rights
2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
3.1 Ensure a fully-synchronized High Availability peer is configured
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
5.1 Ensure that WildFire file size upload limits are maximized
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
5.3 Ensure a WildFire Analysis profile is enabled for all security policies