Details

For SNMP polling, only SNMPv3 should be used.

Rationale:

SNMPv3 utilizes AES-128 encryption, message integrity, user authorization, and device authentication security features. SNMPv2c does not provide these security features. If an SNMPv2c community string is intercepted or otherwise obtained, an attacker could gain read access to the firewall. Note that SNMP write access is not possible.

Solution

Navigate to Device > Setup > Operations > Miscellaneous > SNMP Setup
Select V3.
or
To remediate this setting, execute the following CLI command:
[email protected]#set deviceconfig system snmp-setting access-setting version v3

Default Value:
Not configured

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1780

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Palo_Alto.

References

• 800-53|CM-6b.
• CSCv6|3.4
• CSCv6|9.1
• CSCv6|14.2

Source

• Tenable.com/audits