Details

HTTP and Telnet options should not be enabled for device management.

Rationale:

Management access over cleartext services such as HTTP or Telnet could result in a compromise of administrator credentials and other sensitive information related to device management.

Solution

Navigate to Network > Network Profiles > Interface Management.
For each Profile, set the HTTP and Telnet boxes to unchecked.

References:

‘PAN-OS Administrator’s Guide 9.0 (English) – Best Practices for Securing Administrative Access’: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access.html#

‘PAN-OS Administrator’s Guide 9.0 (English) – Use Interface Management Profiles to Restrict Access’: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access.html#

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2692

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication, System and Communications Protection, System and Information Integrity.This control applies to the following type of system Palo_Alto.

References

• 800-53|IA-5
• 800-53|SC-8
• 800-53|SI-4
• CSCv6|3.4
• CSCv6|11.4
• CSCv6|14.2
• CSCv6|16.13
• CSCv7|9.2
• CSCv7|14.4
• CSCv7|16.5

Source

• Tenable.com/audits