Home
Security Hardening
CIS Palo Alto Firewall 8 Benchmark L1 V1.0.0

CIS Palo Alto Firewall 8 Benchmark L1 V1.0.0

Ensure ‘Permitted IP Addresses’ is set to those necessary for device management
Details Permit only the necessary IP addresses to be used to manage the device. Rationale: Management access to the device...
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled – HTTPS
Details For all management profiles, only the IP addresses required for device management should be specified. Rationale: If a Permitted...
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled – SNMP
Details For all management profiles, only the IP addresses required for device management should be specified. Rationale: If a Permitted...
Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords
Details This determines the number of unique passwords that have to be most recently used for a user account before...
Ensure redundant NTP servers are configured appropriately
Details These settings enable use of primary and secondary NTP servers to provide redundancy in case of a failure involving...
Ensure remote access capabilities for the User-ID service account are forbidden.
Details Restrict the User-ID service accounts ability to gain remote access into the organization. This capability could be made available...
Ensure ‘Required Password Change Period’ is less than or equal to 90 days
Details This defines how long a user can use a password before it expires. Rationale: The longer a password exists,...
Ensure that antivirus profiles are set to block on all decoders except ‘imap’ and ‘pop3’
Details Configure antivirus profiles to a value of ‘block’ for all decoders except imap and pop3 under both Action and...
Ensure that ‘Include/Exclude Networks’ is used if User-ID is enabled
Details If User-ID is configured, use the Include/Exclude Networks section to limit the User-ID scope to operate only on trusted...
Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones
Details Create security policies to deny Palo Alto User-ID traffic originating from the interface configured for the UID Agent service...

Prev Next

CIS Palo Alto Firewall 8 Benchmark L1 V1.0.0

Ensure ‘Permitted IP Addresses’ is set to those necessary for device management

Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled – HTTPS

Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled – SNMP

Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords

Ensure redundant NTP servers are configured appropriately

Ensure remote access capabilities for the User-ID service account are forbidden.

Ensure ‘Required Password Change Period’ is less than or equal to 90 days

Ensure that antivirus profiles are set to block on all decoders except ‘imap’ and ‘pop3’

Ensure that ‘Include/Exclude Networks’ is used if User-ID is enabled

Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones