Detections
Analytics

Revision 1.3

Nov 8, 2024
Functional Update
  • 1.1.1.1 Syslog logging should be configured - configuration
  • 1.1.1.1 Syslog logging should be configured - hip match
  • 1.1.1.1 Syslog logging should be configured - host
  • 1.1.1.1 Syslog logging should be configured - ip-tag
  • 1.1.1.1 Syslog logging should be configured - system
  • 1.1.1.1 Syslog logging should be configured - user-id
  • 1.1.2 Ensure 'Login Banner' is set
  • 1.1.3 Ensure 'Enable Log on High DP Load' is enabled
  • 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management
  • 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS
  • 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP
  • 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH
  • 1.2.3 Ensure HTTP and Telnet options are disabled for the management interface
  • 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP
  • 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet
  • 1.3.1 Ensure 'Minimum Password Complexity' is enabled
  • 1.3.10 Ensure 'Password Profiles' do not exist
  • 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12
  • 1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1
  • 1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1
  • 1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1
  • 1.3.6 Ensure 'Minimum Special Characters' is greater than or equal to 1
  • 1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days
  • 1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3
  • 1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords
  • 1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management
  • 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
  • 1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
  • 1.5.1 Ensure 'V3' is selected for SNMP polling
  • 1.6.1 Ensure 'Verify Update Server Identity' is enabled
  • 1.6.2 Ensure redundant NTP servers are configured appropriately
  • 1.6.3 Ensure that the Certificate Securing Remote Access VPNs is Valid
  • 2.3 Ensure that User-ID is only enabled for internal trusted interfaces
  • 2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled
  • 2.5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled
  • 2.6 Ensure that the User-ID service account does not have interactive logon rights
  • 2.7 Ensure remote access capabilities for the User-ID service account are forbidden.
  • 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
  • 3.1 Ensure a fully-synchronized High Availability peer is configured
  • 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition
  • 3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Path Monitoring Failure Condition
  • 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Election Setings
  • 3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately - Passive Link State
  • 4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
  • 4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
  • 5.1 Ensure that WildFire file size upload limits are maximized
  • 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
  • 5.3 Ensure a WildFire Analysis profile is enabled for all security policies
  • 5.4 Ensure forwarding of decrypted content to WildFire is enabled
  • 5.5 Ensure all WildFire session information settings are enabled
  • 5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every minute
  • 6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
  • 6.10 Ensure that URL Filtering uses the action of 'block' or 'override' on the URL categories - override on the URL categories
  • 6.11 Ensure that access to every URL is logged
  • 6.12 Ensure all HTTP Header Logging options are enabled - Log Container Page
  • 6.12 Ensure all HTTP Header Logging options are enabled - Referer
  • 6.12 Ensure all HTTP Header Logging options are enabled - User-Agent
  • 6.12 Ensure all HTTP Header Logging options are enabled - X-Forwarded-For
  • 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet
  • 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile
  • 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Object
  • 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet
  • 6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
  • 6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions
  • 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets
  • 6.2 Ensure a secure antivirus profile is applied to all relevant security policies
  • 6.20 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories - continue on the URL categories
  • 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats
  • 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use
  • 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
  • 6.6 Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet
  • 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities
  • 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
  • 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
  • 7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
  • 7.3 Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
  • 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Invalid Categories
  • 8.1 Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured - Policies
  • 8.2 Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS
  • 8.3 Ensure that the Certificate used for Decryption is Trusted
Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.