Details

Set the Idle Timeout value for device management to 10 minutes or less to automatically close inactive sessions.

Rationale:

An unattended computer with an open administrative session to the device could allow an unauthorized user access to the firewall’s management interface.

Solution

Navigate to Device > Setup > Management > Authentication Settings.
Set Idle Timeout to less than or equal to 10.

Default Value:

Not configured

References:

‘How to Change the Admin Session Timeout Value’ – https://live.paloaltonetworks.com/docs/DOC-5557

‘PAN-OS Administrator’s Guide 9.0 (English) – Device – Setup – Management’ – https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-setup-management#

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2692

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Palo_Alto.

References

• 800-53|AC-11
• CSCv6|16.4
• CSCv7|16.11

Source

• Tenable.com/audits