2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled

Information

If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted networks. There is rarely a legitimate need to allow WMI probing on an untrusted network.
Rationale:
The Include/Exclude Networks feature allow users to configure boundaries for the User-ID service. By using the feature to limit User-ID probing to only trusted internal networks, the risks of privileged information disclosure through sent probes can be reduced. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks policy will take effect for all other networks.

Solution

Navigate to Device > User Identification > User Mapping > Include/Exclude Networks.
Set all trusted internal networks to have a Discovery value of Include.
Set all untrusted external networks to have a Discovery value of Exclude.
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11), CSCv6|9.1

Plugin: Palo_Alto

Control ID: ee8fabba9b9fdd3067df95d3b1928766061d161d2561c0a84cd27b72951551ef