Ensure a fully-synchronized High Availability peer is configured
Details Ensure a High Availability peer is fully synchronized and in a passive or active state. Rationale: To ensure availability...
- Home
- Security Hardening
- CIS Palo Alto Firewall 6 Benchmark L1 V1.0.0
CIS Palo Alto Firewall 6 Benchmark L1 V1.0.0
Ensure alerts are enabled for malicious files detected by WildFire
Details Configure WildFire to send an alert when a malicious file is detected. This alert could be sent by whichever...Ensure all WildFire session information settings are enabled
Details Enable all options under Session Information Settings for WildFire. Rationale: Permitting the firewall to send all of this information...Ensure ‘Antivirus Update Schedule’ is set to download and install updates hourly
Details Set Antivirus Update Schedule to download and install updates hourly. Rationale: New antivirus definitions may be released at any...Ensure ‘Applications and Threats Update Schedule’ is set to download and install updates daily
Details Set the Applications and Threats Update Schedule to download and install updates daily. Rationale: New Applications and Threats file...Ensure at least one antivirus profile is set to block on all decoders except ‘imap’ and ‘pop3’
Details Configure at least one antivirus profile to a value of ‘block’ for all decoders except imap and pop3 under...Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows
Details Apply a WildFire file blocking profile to all security policies allowing Internet traffic flows. In the following example, the...Ensure ‘Block Username Inclusion’ is enabled
Details This checks all new passwords to ensure that they block username inclusion (in either forward or reverse order.) Rationale:...Ensure ‘Enable Log on High DP Load’ is enabled
Details Enable the option ‘Enable Log on High DP Load’ feature. When this option is selected, a system log entry...Ensure ‘Failed Attempts’ and ‘Lockout Time’ for Authentication Profile are properly configured – Failed Attempts
Details Configure an Authentication Profile with Failed Attempts and Lockout Time set to organization-defined values (for example, 3 failed attempts...