PANW-NM-000069 - The Palo Alto Networks security platform must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Device management sessions are normally ended by the Administrator when he or she has completed the management activity. The session termination takes place from the web client by selecting 'Logout' (located at the bottom-left of the GUI window) or using the command line commands 'exit' or 'quit' at Operational mode.

Solution

Go to Device >> Setup >> Management.
In the 'Authentication Settings' pane, select the 'Edit' icon (the gear symbol in the upper-right corner of the pane).
In the 'Idle Timeout (min)' field, enter '10', then select 'OK'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen.
Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

References: CAT|I, CCI|CCI-001133, Rule-ID|SV-228658r961068_rule, STIG-ID|PANW-NM-000069, STIG-Legacy|SV-77233, STIG-Legacy|V-62743, Vuln-ID|V-228658

Plugin: Palo_Alto

Control ID: cd10492e6e86c8087a07ee5f2499940f81f8bd1759169f939a7583b3728d1ffd