1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts

Information

Configure an Authentication Profile with Failed Attempts and Lockout Time set to organization-defined values (for example, 3 failed attempts and a 15 minute lockout time). Do not set Failed Attempts and Lockout Time in the Authentication Settings section; any Failed Attempts or Lockout Time settings within the selected Authentication Profile do not apply in the Authentication Settings section.
Rationale:
Without a lockout limit, an attacker can continuously guess administrators' passwords. If lockout settings are configured in the Authentication Settings section, it may be possible for an attacker to continuously lock out all administrative accounts from accessing the device.

Solution

Navigate to Device > Authentication Profile.
Set Failed Attempts to the organization-defined value.
Set Lockout Time to the organization-defined value.
or
Execute the following CLI commands:
username@hostname#set deviceconfig setting management admin-lockout failed-attempts
username@hostname#set deviceconfig setting management admin-lockout lockout-time
Default Value:
Not configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CSCv6|16.7

Plugin: Palo_Alto

Control ID: 0657749f1a9d88e1a4508ffb6c35ecfc08b3bc1481c819077f031e6a06c2776e