7.2 Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist

Information

Create security policies specifying application-default for the Service setting, in addition to the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.

Rationale:

App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.

Because of how App-ID works, configuring the service setting to 'Any' allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic.

Solution

Navigate to Policies > Security.
For each exposed host, set a Security Policy exists with:

Source tab: Zone set to OUTSIDE Address set to any

Destination tab: Zone set to DMZ / Address set to <DMZ Host Object>

Application tab: Application set to web-browsing (or appropriate application)

Service tab: Service set to application-default. The value of any should never be used

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Palo_Alto

Control ID: 9f59842d43700517ea921bce65d8309efad43291339028c66ce30b63ef05a590