Ensure ‘Security Policy’ denying any/all traffic exists at the bottom of the security policies ruleset
Details EXTREME CAUTION MUST BE USED BEFORE IMPLEMENTING THIS RECOMMENDATION, AS CERTAIN TRAFFIC PERMITTED BY DEFAULT WILL BE DENIED UNLESS...
- Home
- Security Hardening
- CIS Palo Alto Firewall 7 Benchmark L2 V1.0.0
CIS Palo Alto Firewall 7 Benchmark L2 V1.0.0
Ensure that a Zone Protection Profile with Flood Protection settings enabled for all flood types is attached to all untrusted zones
Details Enable all Flood Protection options in the Zone Protection Profile attached to all untrusted zones. The Alert, Activate, and...Ensure that IP addresses are mapped to usernames – User ID Agents
Details Configure appropriate settings to map IP addresses to usernames. Mapping userids to IP addresses is what permits the firewall...Ensure that IP addresses are mapped to usernames – Zones
Details Configure appropriate settings to map IP addresses to usernames. Mapping userids to IP addresses is what permits the firewall...Ensure that the certificate securing Remote Access VPNs is valid – Certificates
Details The Certificate used to secure Remote Access VPNs should satisfy the following criteria: * It should be a valid...Ensure that the certificate securing Remote Access VPNs is valid – GlobalProtect Gateways
Details The Certificate used to secure Remote Access VPNs should satisfy the following criteria: * It should be a valid...Ensure that the certificate securing Remote Access VPNs is valid – GlobalProtect Portals
Details The Certificate used to secure Remote Access VPNs should satisfy the following criteria: * It should be a valid...Ensure that the Certificate used for Decryption is Trusted
Details The CA Certificate used for in-line HTTP Man in the Middle should be trusted by target users. There are...Ensure that WMI probing is disabled
Details Disable WMI probing if it is not required for User-ID functionality in the environment. Rationale: By default, WMI probing...Ensure valid certificate is set for browser-based administrator interface – Authentication Profile
Details In most cases, a browser HTTPS interface is used to administer the Palo Alto appliance. The certificate used to...