1.5.1 Ensure 'V3' is selected for SNMP polling

Information

For SNMP polling, only SNMPv3 should be used.

Rationale:

SNMPv3 utilizes AES-128 encryption, message integrity, user authorization, and device authentication security features. SNMPv2c does not provide these security features. If an SNMPv2c community string is intercepted or otherwise obtained, an attacker could gain read access to the firewall. Note that SNMP write access is not possible.

Impact:

Any clear-text administrative protocol (such as SNMPv2) can expose valuable information to any attacker that is in a position to eavesdrop on that protocol.

Solution

Navigate to Device > Setup > Operations > Miscellaneous > SNMP Setup
Select V3.
In order to be usable, the User and View sections of this dialog should also be completed. These settings need to match the settings in the organization's NMS (Network Management System)

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|9.2, CSCv7|14.4

Plugin: Palo_Alto

Control ID: a7a7de9ef3a41c287df683ea17c2e0c8d5bb263ee631fecba83bf73e8bd79802