{"stig":{"title":"Palo Alto Networks IDPS Security Technical Implementation Guide","version":"3","release":"2"},"checks":[{"vulnId":"V-207688","ruleId":"SV-207688r557390_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.","description":"The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.\n\nRestricting the flow of communications traffic, also known as Information flow control, regulates where information is allowed to travel as opposed to who is allowed to access the information and without explicit regard to subsequent accesses to that information.\n\nTraffic that is prohibited by the PPSM and Vulnerability Assessments must be denied by the policies configured in the Palo Alto Networks security platform; this is addressed in a separate requirement.  Traffic that is allowed by the PPSM and Vulnerability Assessments must still be inspected by the IDPS capabilities of the Palo Alto Networks security platform known as Content-ID.  Content-ID is enabled on a per rule basis using individual or group profiles to facilitate policy-based control over content traversing the network.","checkContent":"Review the list of authorized applications, endpoints, services, and protocols that has been added to the PPSM database.  Identify which traffic flows are authorized.\n\nGo to  Objects >> Security Profiles >> Antivirus\nIf there are no Antivirus Profiles configured other than the default, this is a finding.\n\nGo to Objects >> Security Profiles >> Anti-Spyware\nView the configured Anti-Spyware Profiles.  If none are configured, this is a finding.\n\nGo to Objects >> Security Profiles >> Vulnerability Protection\nView the configured Vulnerability Protection Profiles.  If none are configured, this is a finding.\n\nReview each of the configured security policies in turn.  For any Security Policy that allows traffic between Zones (interzone), view the \"Profile\" column.  If the \"Profile\" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.","fixText":"Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn.  Use these Profiles in the Security Policy or Policies that allows authorized traffic.\nTo create an Antivirus Profile:\nGo to Objects >> Security Profiles >> Antivirus\nSelect \"Add\".\nIn the \"Antivirus Profile\" window,  complete the required fields.\nComplete the \"Name\" and \"Description\" fields.\nIn the \"Antivirus\" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the Action to \"drop\" or \"reset-both\".\nSelect \"OK\".\n\nTo create a Vulnerability Protection Profile:\nGo to Objects >> Security Profiles >> Vulnerability Protection\nSelect \"Add\".\nIn the \"Vulnerability Protection Profile\" window, complete the required fields.\nIn the \"Name\" field, enter the name of the Vulnerability Protection Profile.\nIn the \"Description\" field, enter the description of the Vulnerability Protection Profile.\nIn the \"Rules\" tab, select \"Add\".\nIn the \"Vulnerability Protection Rule\" window, \nIn the \"Rule Name\" field, enter the Rule name,\nIn the \"Threat Name\" field, select \"any\",\nIn the \"Action\" field, select \"drop\" or \"reset-both\".\nIn the \"Host type\" field, select \"any\",\nSelect the checkboxes above the \"CVE\" and \"Vendor ID\" boxes. \nIn the \"Severity\" section, select the \"critical\", \"high\", and \"medium\" check boxes.\nSelect \"OK\".\n\nIn the \"Vulnerability Protection Profile\" window, select the configured rule, then select \"OK\".\nTo configure an Anti-Spyware Profile:\nGo to Objects >> Security Profiles >> Anti-Spyware\nSelect the name of a configured Anti-Spyware Profile or select \"Add\" to create a new one.\nIn the \"Anti-Spyware Profile\" window, complete the required fields in all tabs.\nIn the \"Rules\" tab, select the name of a configured Anti-Spyware Rule or select \"Add\" to create a new one.\nComplete the required fields.\nFor the Category field, select \"any\".\nFor the Action field, select \"Drop\" or \"reset-both\".\nFor the Severity field, select \"All\" or configured multiple rules, one for each Severity.\nSelect \"OK\". \nSelect \"OK\" again.\n\nGo to Policies >> Security\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\".  The window will change to display the different categories of Profiles.  \nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Antivirus\" field, select the configured Antivirus Profile.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Anti-spyware\" field, select the configured or \"Strict Anti-spyware\" Profile.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001368"]},{"vulnId":"V-207689","ruleId":"SV-207689r767016_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.","description":"Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack.\n\nWhile auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.\n\nPalo Alto Networks security platform has four options for the source of log records - \"FQDN\", \"hostname\", \"ipv4-address\", and \"ipv6-address\".  This requirement only allows the use of \"ipv4-address\" and \"ipv6-address\" as options.","checkContent":"Go to Device >> Setup >> Management\nIn the \"General Settings\" window, if the \"hostname\" field does not contain a unique identifier, this is a finding.\n\nGo to Device >> Setup >> Management\nIn the \"Logging and Reporting Settings\" pane, if the \"Send Hostname in Syslog\" does not show either \"ipv4-address\" or \"ipv6-address\", this is a finding.","fixText":"Set a unique hostname.\nGo to Device >> Setup >> Management\nIn the \"General Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"General Settings\" window, in the \"hostname\" field; enter a unique hostname.\nSelect \"OK\".\n\nConfigure the device to send either the ipv4-address, or  ipv6-address with all log messages.\nDevice >> Setup >> Management\nClick the \"Edit\" icon in the \"Logging and Reporting Settings\" section.\nSelect the \"Log Export and Reporting\" tab.\nSelect one of the following options from the \"Send Hostname\" in the \"Syslog\" drop-down list:\nipv4-address —Uses the IPv4 address of the interface used to send logs on the device. By default, this is the management interface of the device.\nipv6-address —Uses the IPv6 address of the interface used to send logs on the device. By default, this is the management interface of the device.  \nNote that the addresses must be consistent with the IP address used by the management interface.\nSelect \"OK\".\n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-000133"]},{"vulnId":"V-207690","ruleId":"SV-207690r559743_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.","description":"Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack.\n\nThe logs should identify what servers, destination addresses, applications, or databases were potentially attacked by logging communications traffic between the target and the attacker. All commands that were entered by the attacker (such as account creations, changes in permissions, files accessed, etc.) during the session should also be logged when capturing for forensic analysis.\n\nPacket captures of attack traffic can be used by forensic tools for analysis for example, to determine if an alert is real or a false alarm or for forensics for threat intelligence. Configure the packet capture filters so that the CPU is not overloaded.  There are many reasons for a packet capture. This requirement addresses the case where the capture is based on forensics for a detected malicious attack and the traffic is being captured in association with that traffic. Filtering should be engaged to facilitate forensics.","checkContent":"Go to Objects >> Security Profiles >> Antivirus\nView the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding.\n\nGo to Objects >> Security Profiles >> Anti-Spyware\nView the configured Anti-Spyware Profiles. If the \"Packet Capture\" field does not show extended-capture, this is a finding.\n\nGo to Objects >> Security Profiles >> Vulnerability Protection\nView the configured Vulnerability Protection Profiles. If the \"Packet Capture\" field does not show extended-capture, this is a finding.\n\nGo to Policies >> Security\nReview each of the configured security policies in turn.  For any Security Policy that affects traffic between Zones (interzone), view the \"Profile\" column.  If the \"Profile\" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.","fixText":"This procedure will only capture the first packet. See the vendor documentation for further information.\n\nGo to Objects >> Security Profiles >> Antivirus\nSelect the name of a configured Antivirus Profile or select \"Add\" to create a new one.\nIn the \"Antivirus Profile\" window,  complete the required fields.\nIn the \"Antivirus\" tab, select the \"Packet Capture\" check box.\nSelect \"OK\".\n\nConfigure an Anti-Spyware Profile to capture detected malicious traffic.\nGo to Objects >> Security Profiles >> Anti-Spyware\nSelect the name of a configured Anti-Spyware Profile or select \"Add\" to create a new one.\nIn the \"Anti-Spyware Profile\" window, complete the required fields in all tabs.\nIn the \"Rules\" tab, select the name of a configured Anti-Spyware Rule or select \"Add\" to create a new one.\nIn the \"Anti-Spyware Rule\" window, in the \"Packet Capture\" field, select \"extended-capture\".\nSelect \"OK\". \nSelect \"OK\" again.\n\nConfigure a Vulnerability Protection Profile to capture detected malicious traffic.\nGo to Objects >> Security Profiles >> Vulnerability Protection\nSelect the name of a configured Vulnerability Protection Profile or select \"Add\" to create a new one.\nIn the \"Vulnerability Protection Profile\" window, complete the required fields.\nIn the \"Rules\" tab, select the name of a configured Vulnerability Protection Rule or select \"Add\" to create a new one.\nIn the \"Vulnerability Protection Rule\" window, in the \"Packet Capture\" field, select \"extended-capture\".\nSelect \"OK\".\nSelect \"OK\" again.\n\nUse the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy.\nGo to Policies >> Security\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions tab in the Profile Setting section:\nIn the \"Profile Type\" field, select \"Profiles\".  The window will change to display the different categories of Profiles.  \nIn the \"Antivirus\" field, select the configured Antivirus Profile.\nIn the \"Anti-Spyware\" field, select the configured Anti-Spyware Profile.\nIn the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\nSelect \"OK\". \nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-000134"]},{"vulnId":"V-207691","ruleId":"SV-207691r1038960_rule","severity":"medium","ruleTitle":"In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.","description":"It is critical that when the Palo Alto Networks security platform is at risk of failing to process audit logs as required, it takes action to mitigate the failure.\n\nThe Palo Alto Networks security platform performs a critical security function, so its continued operation is imperative. Since availability of the Palo Alto Networks security platform is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.","checkContent":"Note: overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform.\n \nGo to Device >> Setup\nIn the \"Logging and Reporting Settings\" pane, if the \"Stop Traffic when LogDb Full\" checkbox is selected, this is a finding.","fixText":"Note: Overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform.\n  \nGo to Device >> Setup\nIn the \"Logging and Reporting Settings\" pane, select the \"Edit\" icon in the upper-right corner.\nIn the \"Logging and Reporting Settings\" window, in the \"Log Export and Reporting\" tab, deselect (uncheck) the \"Stop Traffic when LogDb Full\" checkbox.  If it is already not selected, do not change it.\nSwitch back to the \"Log Storage\" tab.\nSelect \"OK\".\n\nIf no changes were made, it is not necessary or possible to commit a change.  If a change was made, commit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-000140"]},{"vulnId":"V-207692","ruleId":"SV-207692r997604_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must have a denial-of-service (DoS) Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.","description":"The Palo Alto Networks security platform must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave.\n\nInstallation of Palo Alto Networks security platform detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nTo comply with this requirement, the Palo Alto Networks security platform must inspect outbound traffic for indications of known and unknown DoS attacks. Sensor log capacity management along with techniques which prevent the logging of redundant information during an attack also guard against DoS attacks. This requirement is used in conjunction with other requirements which require configuration of security policies, signatures, rules, and anomaly detection techniques and are applicable to both inbound and outbound traffic.","checkContent":"Go to Objects >> Security Profiles >> DoS Protection.\nIf there are no DoS Protection Profiles configured, this is a finding.\n\nThere may be more than one configured DoS Protection Profile; ask the administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks.\nIf there is no such DoS Protection Profile, this is a finding.","fixText":"Go to Objects >> Security Profiles >> DoS Protection.\nSelect \"Add\" to create a new profile.\nIn the \"DoS Protection Profile\" window, complete the required fields.\nFor the Type, select \"Classified\".\nIn the \"Flood Protection\" tab, \"Syn Flood\" tab, select the \"Syn Flood\" check box and select either \"Random Early Drop\" (preferred in this case) or \"SYN Cookie\".\nIn the \"Flood Protection\" tab, \"UDP Flood\" tab, select the \"UDP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"ICMP Flood\" tab, select the \"ICMP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"ICMPv6 Flood\" tab, select the \"ICMPv6 Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"Other IP Flood\" tab, select the \"Other IP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields. \nIn the \"Resources Protection\" tab, leave the \"Maximum Concurrent Sessions\" check box unselected.\nSelect \"OK\".\n\nGo to Policies >> DoS Protection.\nSelect \"Add\" to create a new policy.\nIn the \"DoS Rule\" Window, complete the required fields.\nIn the \"General\" tab, complete the \"Name\" and \"Description\" fields.\nIn the \"Source\" tab, for \"Zone\", select the \"Internal zone\", for \"Source Address\", select \"Any\".\nIn the \"Destination\" tab, \"Zone\", select \"External zone\", for \"Destination Address\", select \"Any\".\nIn the \"Option/Protection\" tab:\nFor \"Service\", select \"Any\".\nFor \"Action\", select \"Protect\".\nSelect the \"Classified\" check box.\nIn the \"Profile\" field, select the configured DoS Protection profile for outbound traffic.\nIn the \"Address field\", select \"source-ip-only\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001095","CCI-004866"]},{"vulnId":"V-207693","ruleId":"SV-207693r768712_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must detect and deny any prohibited mobile or otherwise malicious code at the enclave boundary.","description":"Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded within Microsoft Office documents. Mobile code can be exploited to attack a host. It can be sent as an e-mail attachment or embedded in other file formats not traditionally associated with executable code.\n\nWhile the IDPS cannot replace the anti-virus and host-based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented, which provide preemptive defense against both known and zero-day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.","checkContent":"Go to Objects >> Security Profiles >> Antivirus.\n\nIf no Antivirus Profiles are configured other than the default, this is a finding.\n\nView the configured Antivirus Profiles for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB). \n\nIf the \"Action\" is anything other than \"drop\" or \"reset-both\", this is a finding.\n\nGo to Policies >> Security.\n\nReview each of the configured security policies in turn. For any Security Policy that affects traffic from an outside (untrusted) zone, view the \"Profile\" column. \n\nIf the \"Profile\" column does not display the “Antivirus Profile” symbol, this is a finding.","fixText":"To create an Antivirus Profile:\nGo to Objects >> Security Profiles >> Antivirus.\n\nSelect \"Add\".\n\nIn the \"Antivirus Profile\" window, complete the required fields. \n\nComplete the \"Name\" and \"Description\" fields. \n\nIn the \"Antivirus\" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the “Action” to \"deny\", or “reset-both”.\n\nSelect \"OK\".\n\nUse the Profile in a Security Policy:\nGo to Policies >> Security. \n\nSelect an existing policy rule or select \"Add\" to create a new one.\n\nIn the \"Actions” tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.\n\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Antivirus\" field, select the configured Antivirus Profile.\n\nSelect \"OK\".\n\nUse the Antivirus Profile in a Security Policy applied to traffic from an outside (untrusted) zone.\n\nGo to Policies >> Security.\n\nSelect an existing policy rule or select \"Add\" to create a new one.\n\nIn the \"Actions” tab in the Profile Setting section:\nIn the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.\n\nIn the \"Antivirus\" field, select the configured Antivirus Profile. \n\nIn the \"Anti-Spyware\" field, select the configured Anti-Spyware Profile.\n\nIn the \"Vulnerability Protection\" field, select the configured “Vulnerability Protection Profile”.\n\nSelect \"OK\".\n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\n\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-001662"]},{"vulnId":"V-207694","ruleId":"SV-207694r997607_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.","description":"Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs.\n\nThe IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be updated, including application software files, anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures.\n\nUpdates must be installed in accordance with the CCB procedures for the local organization. However, at a minimum:\nUpdates designated as critical security updates by the vendor must be installed immediately.\nUpdates for signature definitions, detection heuristics, and vendor-provided rules must be installed immediately.\nUpdates for application software are installed in accordance with the CCB procedures.\nPrior to automatically installing updates, either manual or automated integrity and authentication checking is required, at a minimum, for application software updates.","checkContent":"Since some networks cannot connect to the vendor site for automatic updates, a manual process can be used.\n\nTo verify that the Palo Alto Networks security platform is using the current Applications and Threats database should be checked by viewing the Dashboard and the version and date compared to the latest release.\nGo to Dashboard; in the General Information pane, view the Threat Version and Antivirus Version. If they are not the most current version as listed on the Palo Alto Networks support site, this is a finding.\n\nThe following check applies if the network is authorized to connect to the Vendor site for automatic updates.\nTo verify that automatic updates are configured, go to Device >> Dynamic Updates.\nIf no entries for \"Applications and Threats\" are present, this is a finding.\nIf the \"Applications and Threats\" entry states \"Download Only\", this is a finding.","fixText":"Go to Device >> Dynamic Updates.\nSelect \"Check Now\" at the bottom of the page to retrieve the latest signatures.\nTo schedule automatic signature updates.\nNote: the steps provided below do not account for local change management policies.\n\nGo to Device >> Dynamic Updates.\nSelect the text to the right of \"Schedule\".\nIn the \"Applications and Threat Updates Schedule\" window; complete the required information.\nIn the \"Recurrence\" field, select \"Daily\".\nIn the \"Time\" field, enter the time at which you want the device to check for updates.\nFor the \"Action\", select \"Download and Install\".\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.\n \nIf manual updates are used, an Administrator must obtain updates from the Palo Alto Networks support site and upload them from a workstation or server to the Palo Alto Networks security platform.\nGo to Device >> Dynamic Updates.\nSelect \"Upload\" (at the bottom of the pane).\nIn the \"Select Package Type for the Upload\" window in the \"Package Type\" field, select \"anti-virus\".\nBrowse to and select the appropriate file.\nSelect \"OK\".\n\nSelect \"Install From File\" (at the bottom of the pane).\nIn the \"Select Package Type for Installation\" window, select \"antivirus\".\nSelect \"OK\".\n\nIn the \"Install Application and Threats From File\" window, select the previously uploaded file.\nSelect \"OK\".","ccis":["CCI-004965"]},{"vulnId":"V-207695","ruleId":"SV-207695r557390_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must detect and drop any prohibited mobile or otherwise malicious code at internal boundaries.","description":"Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded within Microsoft Office documents. Mobile code can be exploited to attack a host. It can be sent as an e-mail attachment or embedded in other file formats not traditionally associated with executable code.\n\nWhile the IDPS cannot replace the anti-virus and host-based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented, which provide preemptive defense against both known and zero-day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.\n\nThe Palo Alto Networks security platform allows customized profiles to be used to perform antivirus inspection for traffic between zones. Antivirus, anti-spyware, and vulnerability protection features require a specific license. There is a default Antivirus Profile; the profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while dropping for FTP, HTTP, and SMB protocols. However, these default actions cannot be edited and the values for the FTP, HTTP, and SMB protocols do not meet the requirement, so customized profiles must be used.","checkContent":"Go to Objects >> Security Profiles >> Antivirus.\n\nIf there are no Antivirus Profiles configured other than the default, this is a finding.\n\nView the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB).\n\nIf the \"Action\" is anything other than \"drop\" or \"reset-both\", this is a finding.\n\nGo to Policies >> Security.\n\nReview each of the configured security policies in turn. For any Security Policy that affects traffic between internal Zones (interzone), view the \"Profile\" column.\n\nIf the \"Profile\" column does not display the “Antivirus Profile” symbol, this is a finding.","fixText":"To create an Antivirus Profile:\nGo to Objects >> Security Profiles >> Antivirus.\n\nSelect \"Add\".\n\nIn the \"Antivirus Profile\" window, complete the required fields.\n\nComplete the \"Name\" and \"Description\" fields.\n\nIn the \"Antivirus\" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the \"Action\" to \"drop\" or \"reset-both\".\n\nSelect \"OK\".\n\nUse the Antivirus Profile in a Security Policy:\nGo to Policies >> Security.\n\nSelect an existing policy rule or select \"Add\" to create a new one.\n\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.\n\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Antivirus\" field, select the configured Antivirus Profile.\n\nSelect \"OK\".\n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\n\nSelect \"OK\" when the confirmation dialog appears.\n\nUse the Antivirus Profile in a Security Policy applied to traffic between internal zones.\n\nGo to Policies >> Security.\n\nSelect an existing policy rule or select \"Add\" to create a new one. \n\nIn the \"Actions” tab in the “Profile Setting” section;: \nIin the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.\n\nIn the \"Antivirus\" field, select the configured Antivirus Profile.\n\nIn the \"Anti-Spyware\" field, select the configured “Anti-Spyware” Profile. \n\nIn the \"Vulnerability Protection\" field, select the configured “Vulnerability Protection Profile”. \n\nSelect \"OK\".\n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. \n\nSelect \"OK\" when the confirmation dialog appears","ccis":["CCI-001243"]},{"vulnId":"V-207696","ruleId":"SV-207696r557390_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SA when malicious code is detected.","description":"Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.\n\nThe IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.\n\nWhen the Palo Alto Networks security platform blocks malicious code, it also generates a record in the threat log.  This message has a medium severity.","checkContent":"The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement.  If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function.   \nGo to Device >> Server Profiles >> Email\nIf there is no Email Server Profile configured, this is a finding.\n\nGo to Objects >> Log forwarding\nIf there is no Email Forwarding Profile configured, this is a finding.\n\nGo to Policies >> Security\nView the Security Policy that is used to detect malicious code (the \"Profile\" column does display the Antivirus Profile symbol); in the \"Options\" column, if the Email Forwarding Profile is not used, this is a finding.","fixText":"The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement.  If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function.\n\nTo create an email server profile:\nGo to Device >> Server Profiles >> Email\nSelect \"Add\". \nIn the \"Email Server Profile\" field, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information.\nIn the \"Name\" field, enter the name of the Email server.\nIn the \"Email Display\" Name field, enter the name shown in the \"From\" field of the email.\nIn the \"From\" field, enter the \"From email address\".\nIn the \"To\" field, enter the email address of the recipient.\nIn the \"Additional Recipient\" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.\nIn the \"Gateway\" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.\nSelect \"OK\".\n\nAfter you create the Server Profiles that define where to send your logs, you must enable log forwarding. \nThreat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).\n\nConfigure the log-forwarding profile to select the logs to be forwarded to Email server.\nGo to Objects >> Log forwarding\nThe \"Log Forwarding Profile\" window appears.  Note that it has five columns.  \nIn the \"Name\" Field, enter the name of the Log Forwarding Profile.\nIn the \"Threat Settings Section\" in the \"Email\" column, select the Email server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the \"Log Forwarding Profile\" window disappears, the screen will show the configured log-forwarding profile.\nFor Threat Logs, use the log forwarding profile in the security rules.\nGo to Policies >> Security Rule\nSelect the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the \"Profile column\" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule.\nIn the \"Actions\" tab in the \"Log Setting\" section; in the \"Log Forwarding\" field, select the log forwarding profile from drop-down list.  Note that the \"Log Forwarding\" field can only have one profile.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001243"]},{"vulnId":"V-207697","ruleId":"SV-207697r997610_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.","description":"Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. An automatic update process ensures this important task is performed without the need for SCA intervention.\n\nThe IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be automatically updated, including anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures.\n\nIf a DOD patch management server or update repository having the tested/verified updates is available for the device component, the components must be configured to automatically check this server/site for updates and install new updates.\n\nIf a DOD server/site is not available, the component must be configured to automatically check a trusted vendor site for updates. A trusted vendor is either commonly used by DOD, specifically approved by DOD, the vendor from which the equipment was purchased, or approved by the local program's CCB.","checkContent":"To verify that automatic updates are configured, go to Device >> Dynamic Updates.\n\nIf no entries for \"Applications and Threats\" are present, this is a finding.\n\nIf the \"Applications and Threats\" entry states \"Download Only\", this is a finding.","fixText":"Go to Device >> Dynamic Updates.\nSelect \"Check Now\" at the bottom of the page to retrieve the latest signatures.\nTo schedule automatic signature updates.\nNote: the steps provided below do not account for local change management policies.\n\nGo to Device >> Dynamic Updates.\nSelect the text to the right of \"Schedule\".\nIn the \"Applications and Threat Updates Schedule\" Window; complete the required information.\nIn the \"Recurrence\" field, select \"Daily\".\nIn the \"Time\" field, enter the time at which you want the device to check for updates.\nFor the \"Action\", select \"Download and Install\".\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-004964"]},{"vulnId":"V-207698","ruleId":"SV-207698r1056118_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.","description":"Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker.\n\nReview the vendor documentation for more information about \"How to Allow/Block ICMP Error Reporting Packets\".\n\nNote that this setting is only available in the Zone Protection profile option, not in the DoS protection profile. Thus, where IDS is part of the function of Palo Alto, a Zone Protection profile is required to comply with this requirement.","checkContent":"Verify a zone protection profile is configured for each outgoing zone that drops all ICMP Destination Unreachable, Redirect, and Address Mask reply messages.\n\n1. Navigate to the \"Zone Protection Profile\" configuration screen.\n2. Select the \"Packet Based Attack Protection\" tab.\n3. Select the \"ICMP Drop\" tab.\n\nIf the \"Discard ICMP embedded with error message\" box is not checked for each internal or DMZ zone, this is a finding.","fixText":"Create a zone protection profile for each outgoing zone that drops any ICMP Destination Unreachable, Redirect, and Address Mask reply messages.\n\n1. Navigate to the \"Zone Protection Profile\" configuration screen.\n2. Select the \"Packet Based Attack Protection\" tab.\n3. Select the \"ICMP Drop\" tab.\n4. Check the \"Discard ICMP embedded with error message\" box.","ccis":["CCI-001312"]},{"vulnId":"V-207699","ruleId":"SV-207699r557390_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must block malicious ICMP packets.","description":"Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics.  However, ICMP can be misused to provide a covert channel. ICMP tunneling is when an attacker injects arbitrary data into an echo packet and sends to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back.  The creates a covert channel where an attacker can hide commands sent to a compromised host or a compromised host can exfiltrate data.","checkContent":"Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.\nGo to Policies >> Security\nView the identified Security Policy.\n \nIf the  \"Source Zone\" field is not external and the \"Source Address\" field is not any, this is a finding.\n\nIf the \"Destination Zone\" fields do not include the internal and DMZ zones and the \"Destination Address\" field is not \"any\", this is a finding.\nNote: the exact number and name of zones is specific to the network.\n\nIf the \"Application\" fields do not include \"icmp\", \"ipv6-icmp\", and \"traceroute\", this is a finding.\n\nIf the \"Actions\" field does not show \"Deny\" as the resulting action, this is a finding.","fixText":"To configure the security policy:\nGo to Policies >> Security\nSelect \"Add\".\nIn the \"Security Policy Rule\" window, complete the required fields.\nIn the \"General\" tab, complete the \"Name\" and \"Description\" fields.\nIn the \"Source\" tab, complete the \"Source Zone\" and \"Source Address\" fields.\nFor the \"Source Zone\" field, select \"external\". \nFor the \"Source Address\" field, select \"any\".\nIn the \"Destination\" tab, complete the \"Destination Zone\" and \"Destination Address\" fields. \nFor the \"Destination Zone\" field, select the internal and DMZ zones.\nNote: the exact number and name of zones is specific to the network.\n\nFor the \"Destination Address\" field, select \"any\".\nIn the \"Applications\" tab, select \"icmp\", \"ipv6-icmp\", \"traceroute\".\nIn the \"Actions\" tab, select \"Deny\" as the resulting action.  Select the required Log Setting and Profile Settings as necessary.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001312"]},{"vulnId":"V-207700","ruleId":"SV-207700r856614_rule","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nIDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.","checkContent":"Go to  Objects >> Security Profiles >> Vulnerability Protection\nIf there are no Vulnerability Protection Profiles configured, this is a finding.\n\nAsk the Administrator which Vulnerability Protection Profile is used to protect database assets by blocking and alerting on attacks.\nView the configured Vulnerability Protection Profile; check the \"Severity\" and \"Action\" columns.\n\nIf the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding.\n\nIf the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding.\n\nAsk the Administrator which Security Policy is used to protect database assets.\nGo to Policies >> Security\nView the configured Security Policy; view the \"Profile\" column.\n \nIf the \"Profile\" column does not display the Vulnerability Protection Profile symbol, this is a finding.\n\nMoving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied.\n\nIf the specific Vulnerability Protection Profile is not listed, this is a finding.","fixText":"Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats.\nGo to Objects >> Security Profiles >> Vulnerability Protection\nSelect \"Add\".\nIn the \"Vulnerability Protection Profile\" window, complete the required fields.\nIn the \"Name\" field, enter the name of the Vulnerability Protection Profile.\nIn the \"Description\" field, enter the description of the Vulnerability Protection Profile.\nIn the \"Rules\" tab, select \"Add\".\nIn the \"Vulnerability Protection Rule\" window, \nIn the \"Rule Name\" field, enter the Rule name,\nIn the \"Threat Name\" field, select \"any\",\nIn the \"Action\" field, select \"block\".\nIn the \"Host type\" field, select \"server\",\nSelect the checkboxes above the \"CVE\" and \"Vendor ID\" boxes. \nIn the \"Severity\" section, select the \"critical\", \"high\", and \"medium\" check boxes.\nSelect \"OK\".\n\nIn the \"Vulnerability Protection Profile\" window, select the configured rule, then select \"OK\".\nAdd a second rule that  alerts on low and informational threats.\n\nApply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases.\nGo to Policies >> Security\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\".  The window will change to display the different categories of Profiles.  \nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\nSelect \"OK\". \nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002346"]},{"vulnId":"V-207701","ruleId":"SV-207701r1056120_rule","severity":"medium","ruleTitle":"To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nIDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.","checkContent":"Go to Objects >> Security Profiles >> Vulnerability Protection.\n\nIf there are no Vulnerability Protection Profiles configured, this is a finding.","fixText":"Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This example profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats.\n\nCreating the Protection Profiles:\n1. Go to Objects >> Security Profiles >> Vulnerability Protection and select \"Add\".\n2. In the \"Vulnerability Protection Profile\" window, complete the following required fields:\n     In the \"Name\" field, enter the name of the Vulnerability Protection Profile.\n     In the \"Description\" field, enter the description of the Vulnerability Protection Profile.\n     In the \"Rules\" tab, select \"Add\".\n3. In the \"Vulnerability Protection Rule\" window, complete the required fields:\n     In the \"Rule Name\" field, enter the Rule name.\n     In the \"Threat Name\" field, select \"any\".\n     In the \"Action\" field, select \"block\".\n     In the \"Host type\" field, select \"server\".\n     Select the checkboxes above the \"CVE\" and \"Vendor ID\" boxes. \n    In the \"Severity\" section, select the \"critical\", \"high\", and \"medium\" check boxes.\n    Select \"OK\".\n4. In the \"Vulnerability Protection Profile\" window, select the configured rule, then select \"OK\".\n5. Add a second rule that alerts on low and informational threats.\n\nApply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases.\n1. Go to Policies >> Security.\n2. Select an existing policy rule.\n3. In the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.  \n4. In the \"Actions\" tab in the \"Profile Setting\" section; in the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\n5. Select \"OK\". \n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002346"]},{"vulnId":"V-207702","ruleId":"SV-207702r856616_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must off-load log records to a centralized log server.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.\n\nThis also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted.","checkContent":"To view a syslog server profile:\nGo to Device >> Server Profiles >> Syslog\n\nIf there are no Syslog Server Profiles present, this is a finding.\n\nSelect each Syslog Server Profile; if no server is configured, this is a finding.\n\nView the log-forwarding profile to determine which logs are forwarded to the syslog server.\nGo to Objects >> Log forwarding\n\nIf no Log Forwarding Profile is present, this is a finding.\n\nThe  \"Log Forwarding Profile\" window has five columns.\n\nIf there are no Syslog Server Profiles present in the \"Syslog\" column for the Traffic Log Type, this is a finding.\n\nIf there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding.\n \nGo to Device >> Log Settings >> System Logs\nThe list of Severity levels is displayed.\n\nIf any of the Severity levels does not have a configured Syslog Profile, this is a finding.\n\nGo to Device >> Log Settings >> Config Logs\n\nIf the \"Syslog\" field is blank, this is a finding.","fixText":"To create a syslog server profile:\nGo to Device >> Server Profiles >> Syslog\nSelect \"Add\".\nIn the Syslog Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information.\nName: Name of the syslog server\nServer: Server IP address where the logs will be forwarded to\nPort: Default port 514\nFacility: Select from the drop down list\nSelect \"OK\".\n\nAfter you create the Server Profiles that define where to send your logs, you must enable log forwarding. \nThe way to enable forwarding depends on the log type:\nTraffic Logs— Enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded.\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding\nThe \"Log Forwarding Profile\" window appears.  Note that it has five columns.  In the \"Syslog\" column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the \"Log Forwarding Profile\" window disappears, the screen will show the configured log-forwarding profile.\nThreat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding.\nThe \"Log Forwarding Profile\" window appears.  Note that it has five columns.  In the \"Syslog\" column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the \"Log Forwarding Profile\" window disappears, the screen will show the configured log-forwarding profile.\nSystem Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> System Logs\nThe list of severity levels is displayed.\n\nSelect a Server Profile for each severity level to forward.  \nSelect each severity level in turn; with each selection, the \"Log Systems - Setting\" window will appear.  \nIn the \"Log Systems - Setting\" window, in the \"Syslog\" drop-down box, select the configured Server Profile.\nSelect \"OK\".\n\nConfig Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> Config Logs\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Log Settings Config\" window, in the \"Syslog\" drop-down box, select the configured Server Profile.\nSelect \"OK\".\n\nFor Traffic Logs and Threat Logs, use the log forwarding profile in the security rules.\nGo to Policies >> Security Rule\nSelect the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.\nGo to Actions >> Log forwarding\nSelect the log forwarding profile from drop-down list.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001851"]},{"vulnId":"V-207703","ruleId":"SV-207703r997613_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).","description":"If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.\n\nInstallation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nDetection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.\n\nThis requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.","checkContent":"Go to Objects >> Security Profiles >> DoS Protection.\nIf there are no DoS Protection Profiles configured, this is a finding.\n\nGo to Policies >> DoS Protection.\nIf there are no DoS Protection Policies, this is a finding.\n\nThere may be more than one configured DoS Protection Policy; ask the administrator which DoS Protection Policy is intended to protect internal networks and DMZ networks from externally-originated DoS attacks.\n\nIf there is no such DoS Protection Policy, this is a finding.\n\nIf the DoS Protection Policy has no DoS Protection Profile, this is a finding.","fixText":"Go to Objects >> Security Profiles >> DoS Protection.\nSelect \"Add\" to create a new profile.\nIn the \"DoS Protection Profile\" window, complete the required fields.\nFor the \"Type\", select \"Classified\".\nIn the \"Flood Protection\" tab, \"Syn Flood\" tab, select the \"Syn Flood\" check box and select \"SYN Cookie\".\nIn the \"Flood Protection\" tab, \"UDP Flood\" tab, select the \"UDP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"ICMP Flood\" tab, select the \"ICMP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"ICMPv6 Flood\" tab, select the \"ICMPv6 Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Flood Protection\" tab, \"Other IP Flood\" tab, select the \"Other IP Flood\" check box; complete the \"Alarm Rate\", \"Activate Rate\", \"Max Rate\", and \"Block Duration\" fields.\nIn the \"Resources Protection\" tab, select the \"Maximum Concurrent Sessions\" check box.\nIn the \"Resources Protection\" tab, complete the \"Max Concurrent Sessions\" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied.\nSelect \"OK\".\n\nGo to Policies >> DoS Protection.\nSelect \"Add\" to create a new policy.\nIn the \"DoS Rule\" Window, complete the required fields.\nIn the \"General\" tab, complete the \"Name\" and \"Description\" fields.\nIn the \"Source\" tab, for \"Zone\", select the \"External zone, for Source Address\", select \"Any\".\nIn the \"Destination\" tab, \"Zone\", select \"Internal zone, for Destination Address\", select \"Any\".\nIn the \"Option/Protection\" tab, \nFor \"Service\", select \"Any\".\nFor \"Action\", select \"Protect\".\nSelect the \"Classified\" check box.\nIn the \"Profile\" field, select the configured DoS Protection profile for inbound traffic.\nIn the \"Address\" field, select \"destination-ip-only\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002385","CCI-004866"]},{"vulnId":"V-207704","ruleId":"SV-207704r997616_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.\n\nInstallation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage.\n\nDetection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks.\n\nThis requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.","checkContent":"Go to Objects >> Security Profiles >> Vulnerability Protection.\nIf there are no Vulnerability Protection Profiles configured, this is a finding.\n\nAsk the administrator which Vulnerability Protection Profile is used for interzone traffic.\nView the configured Vulnerability Protection Profiles; check the \"Severity\" and \"Action\" columns.\nIf the Vulnerability Protection Profile used for interzone traffic does not block all critical, high, and medium threats, this is a finding.\n\nGo to Policies >> Security.\nReview each of the configured security policies in turn.\nFor any Security Policy that affects traffic between Zones (interzone), view the Profile column. If the Profile column does not display the Vulnerability Protection Profile symbol, this is a finding.","fixText":"To create a Vulnerability Protection Profile:\nGo to Objects >> Security Profiles >> Vulnerability Protection.\nSelect \"Add\".\nIn the \"Vulnerability Protection Profile\" window, complete the required fields.\nIn the \"Name\" field, enter the name of the Vulnerability Protection Profile.\nIn the \"Description\" field, enter the description of the Vulnerability Protection Profile.\nIn the \"Rules\" tab, select \"Add\".\nIn the \"Vulnerability Protection Rule\" window.\nIn the \"Rule Name\" field, enter the Rule name.\nIn the \"Threat Name\" field, select \"any\".\nIn the \"Action\" field, select \"block\".\nIn the \"Host type\" field, select \"any\".\nSelect the checkboxes above the \"CVE\" and \"Vendor ID\" boxes. \nIn the \"Severity\" section, select the \"critical\", \"high\", and \"medium\" check boxes.\nSelect \"OK\".\n\nIn the \"Vulnerability Protection Profile\" window, select the configured rule, then select \"OK\".\nUse the Profile in a Security Policy.\nGo to Policies >> Security.\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\". The window will change to display the different categories of Profiles.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\nSelect \"OK\". \nCommit changes by selecting \"Commit\" in the upper-right corner of the screen. Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002385","CCI-004866"]},{"vulnId":"V-207705","ruleId":"SV-207705r856619_rule","severity":"medium","ruleTitle":"Palo Alto Networks security platform components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.","description":"An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access.\n\nIntegration is more than centralized logging and a centralized management console. The enclave's monitoring capability may include multiple sensors, IPS, sensor event databases, behavior-based monitoring devices, application-level content inspection systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Some tools may monitor external traffic while others monitor internal traffic at key boundaries. \n\nThese capabilities may be implemented using different devices and therefore can have different security policies and severity-level schema. This is valuable because content filtering, monitoring, and prevention can become a bottleneck on the network if not carefully configured.","checkContent":"Go to Device >> Server Profiles >> NetFlow\nIf no NetFlow Server Profiles are configured, this is a finding.\n\nThis step assumes that it is an Ethernet interface that is being monitored.  The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.  Ask the Administrator which interface is being monitored; there may be more than one.\nGo to Network >> Interfaces >> Ethernet\nSelect the interface that is being monitored.\nIf the \"NetFlow Profile\" field is \"None\", this is a finding.","fixText":"To create a NetFlow Server Profile:\nGo to Device >> Server Profiles >> NetFlow\nSelect Add.\nIn the \"NetFlow Server Profile\" window, complete the required fields.\nIn the \"Name\" field, enter the name of the NetFlow Server Profile.\nIn the \"Minutes\" field, enter the number of minutes after which the NetFlow template is refreshed. \nIn the \"Packets\" field, enter the number of packets after which the NetFlow template is refreshed.\nIn the \"Active Timeout\" field, enter the frequency (in minutes) the device exports records.\nSelect the \"PAN-OS Field Types\" check box to export \"App-ID\" and \"User-ID\" fields.\nSelect \"Add\" to add a NetFlow collector.\nIn the \"Name\" field, enter the name of the server.\nIn the \"NetFlow Server\" field, enter the hostname or IP address of the server.\nIn the \"Port\" field enter the port used by the NetFlow collector (default 2055).\nSelect \"OK\".\n\nAssign the NetFlow server profile to the interfaces that carry the traffic to be analyzed.  These steps assume that it is one of the Ethernet interfaces.  The configuration is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.\nGo to Network >> Interfaces >> Ethernet\nSelect the interface that the traffic traverses.\nIn the \"Ethernet Interface\" window, in the \"NetFlow Profile\" field, select the configured NetFlow Profile.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002656"]},{"vulnId":"V-207706","ruleId":"SV-207706r856620_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing.\n\nTo comply with this requirement, the IDPS may be configured to detect services either directly or indirectly (i.e., by detecting traffic associated with a service).","checkContent":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic.\n\nIf there is no list of unauthorized network services, this is a finding.\n \nIf there are no configured security policies that specifically match the list of unauthorized network services, this is a finding.\n \nIf the security policies do not deny the traffic associated with the unauthorized network services, this is a finding.","fixText":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic.\n\nTo create or edit a Security Policy:\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002683"]},{"vulnId":"V-207707","ruleId":"SV-207707r856621_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate a log record when unauthorized network services are detected.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing.","checkContent":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic.\n \nTo verify if a Security Policy logs denied traffic:\nGo to Policies >> Security\nSelect the name of the security policy to view it.\n\nIn the \"Actions\" tab, in the \"Log Setting\" section, if neither the \"Log at Session Start\" nor the \"Log at Session End\" check boxes are checked, this is a finding.","fixText":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic.\n\nTo configure a Security Policy to log denied traffic:\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nIn the \"Actions\" tab, select the Log forwarding profile and select \"Log at Session End\".\n\"Log at Session Start\" may be selected under specific circumstances, but \"Log at Session End\" is preferred.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-002684"]},{"vulnId":"V-207708","ruleId":"SV-207708r856622_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate an alert to the ISSO and ISSM, at a minimum, when unauthorized network services are detected.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nAutomated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites).\n\nThe IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. \nAsk the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\n\nView the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.\n \nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nView the Security Policies that are used to block unauthorized network services.\nGo to Policies >> Security\nSelect the name of the security policy to view it. \nIn the \"Actions\" tab, in the \"Log Setting\" section, view the Log Forwarding Profile.\n\nIf there is no Log Forwarding Profile, this is a finding.","fixText":"Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO.  For each prohibited network service, configure a security policy that  generates an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected.\nConfigure a Server Profile for use with Log Forwarding Profile(s);  if email is used, the ISSO and ISSM must be recipients.\n   \nTo create an email server profile:\nGo to Device >> Server Profiles >> Email\nSelect \"Add\". \nIn the Email Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information:\nIn the \"Name\" field, enter the name of the Email server\nIn the \"Email Display Name\" field, enter the name shown in the \"From\" field of the email.\nIn the \"From\" field, enter the From email address.\nIn the \"To\" field, enter the email address of the recipient.\nIn the \"Additional Recipient\" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.\nIn the \"Gateway\" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.\nSelect \"OK\".\n  \nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nIn the \"Actions\" tab, select the Log forwarding profile and select \"Log at Session End\".\n\"Log at Session Start\" may be selected under specific circumstances, but \"Log at Session End\" is preferred.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-002684"]},{"vulnId":"V-207709","ruleId":"SV-207709r856623_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.","description":"If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.\n\nAlthough some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring.\n\nUnusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.","checkContent":"Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform.  \nThe specific security policy is based on the authorized endpoints, applications, and protocols.\n\nIf it does not filter traffic passing between zones, this is a finding.","fixText":"The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols.\n\nTo create or edit a Security Policy:\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002661"]},{"vulnId":"V-207710","ruleId":"SV-207710r856624_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.","description":"If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.\n\nAlthough some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring.\n\nUnusual/unauthorized activities or conditions related to information system outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.","checkContent":"Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform.\n\nIf it does not filter traffic passing between zones, this is a finding.","fixText":"The network architecture diagrams must identify where traffic crosses from one internal zone to another.  The specific security policy is based on the authorized endpoints, applications, and protocols.\n\nTo create or edit a Security Policy:\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002662"]},{"vulnId":"V-207711","ruleId":"SV-207711r971533_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when intrusion detection events are detected which indicate a compromise or potential for compromise.","description":"Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information.\n\nAn Intrusion Detection and Prevention System must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.","checkContent":"Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\nView the configured Server Profile.\n\nIf there is no Server Profile for the method explained, this is a finding.\n\nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nView the Security Policies that are used to block unauthorized network services.\nGo to Policies >> Security\nSelect the name of the security policy to view it.\nIn the \"Actions\" tab, in the \"Log Setting\" section, view the Log Forwarding Profile.\n\nIf there is no Log Forwarding Profile, this is a finding.","fixText":"Configure a Server Profile for use with Log Forwarding Profile(s);  If email is used, the ISSO and ISSM must be recipients.\n   \nTo create an email server profile:\nGo to Device >> Server Profiles >> Email\nSelect \"Add\". \nIn the Email Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information.\nIn the \"Name\" field, enter the name of the Email server.\nIn the \"Email Display\" Name field, enter the name shown in the \"From\" field of the email.\nIn the \"From\" field, enter the From email address.\nIn the \"To\" field, enter the email address of the recipient.\nIn the \"Additional Recipient\" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.\nIn the \"Gateway\" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.\nSelect \"OK\".\n\nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding.\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nIn the \"Actions\" tab, select the Log forwarding profile and select \"Log at Session End\".\n\"Log at Session Start\" may be selected under specific circumstances, but \"Log at Session End\" is preferred.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-002664"]},{"vulnId":"V-207712","ruleId":"SV-207712r971533_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.","description":"Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.\n\nEach Security Policy created in response to an IAVM or CTO must log violations of that particular Security Policy.  For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.","checkContent":"Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\nView the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. \nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nView the Security Policies that are used to enforce policies issued by authoritative sources.\nGo to Policies >> Security\nSelect the name of the security policy to view it.\nIn the \"Actions\" tab, in the \"Log Setting\" section, view the Log Forwarding Profile.  If there is no Log Forwarding Profile, this is a finding.","fixText":"Configure a Server Profile for use with Log Forwarding Profile(s);  If email is used, the ISSO and ISSM must be recipients.\n   \nTo create an email server profile:\nGo to Device >> Server Profiles >> Email\nSelect \"Add\". \nIn the Email Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information:\nIn the \"Name\" field, enter the name of the Email server.\nIn the \"Email Display Name\" field, enter the name shown in the \"From\" field of the email.\nIn the \"From\" field, enter the From email address.\nIn the \"To\" field, enter the email address of the recipient.\nIn the \"Additional Recipient\" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.\nIn the \"Gateway\" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.\nSelect \"OK\".\n\nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding.\nGo to Policies >> Security\nSelect \"Add\" to create a new security policy or select the name of the security policy to edit it. \nConfigure the specific parameters of the policy by completing the required information in the fields of each tab.\nIn the \"Actions\" tab, select the Log forwarding profile and select \"Log at Session End\".\n\"Log at Session Start\" may be selected under specific circumstances, but \"Log at Session End\" is preferred.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-002664"]},{"vulnId":"V-207713","ruleId":"SV-207713r971533_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when rootkits or other malicious software which allows unauthorized privileged or non-privileged access is detected.","description":"Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.\n\nCJCSM 6510.01B, \"Cyber Incident Handling Program\", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.\n\nAlert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform  must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\n\nView the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.\n \nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nView the Security Policies that are used to filter traffic into the Internal or DMZ zones.\n\nIf the \"Profile\" column does not display the Antivirus Profile symbol, this is a finding.\n\nIf the \"Profile\" column does not display the Vulnerability Protection Profile symbol, this is a finding.\n  \nIf the \"Profile\" column does not display the Anti-spyware symbol, this is a finding.\n\nIf the \"Options\" column does not display the Log Forwarding Profile symbol, this is a finding.","fixText":"This requires the use of an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile.\n\nConfigure a Server Profile for use with Log Forwarding Profile(s);  If email is used, the ISSO and ISSM must be recipients.   \nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding.\nConfigure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn.\nNote: A custom Anti-spyware Profile or the Strict Anti-spyware Profile must be used instead of the Default Anti-spyware Profile.  The selected Anti-spyware Profile must use the block action at the critical, high, and medium severity threat levels.\n  \nUse the Antivirus Profile, Anti-spyware Profile, and the Vulnerability Protection Profile in a Security Policy that filters traffic to Internal and DMZ zones:\nGo to Policies >> Security\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\".  The window will change to display the different categories of Profiles.  \nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Antivirus\" field, select the configured Antivirus Profile.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Anti-spyware\" field, select the configured or \"Strict Anti-spyware\" Profile.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Vulnerability Protection\" field, select the configured Vulnerability Protection Profile.\nIn the \"Actions\" tab in the \"Log Setting\" section, select \"Log At Session End\".  This generates a traffic log entry for the end of a session and logs drop and deny entries.  \nIn the \"Actions\" tab in the \"Log Setting\" section; in the \"Log Forwarding\" field, select the log forwarding profile from drop-down list.\nSelect \"OK\". \nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002664"]},{"vulnId":"V-207714","ruleId":"SV-207714r971533_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.","description":"Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.\n\nCJCSM 6510.01B, \"Cyber Incident Handling Program\", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.\n\nAlert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\n\nView the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.\n \nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nGo to Policies >> DoS Protection\nIf there are no DoS Protection Policies, this is a finding.\n\nThere may be more than one configured DoS Protection Policy.\nIf there is no such DoS Protection Policy, this is a finding.\n\nIn the \"Log Forwarding\" field, if there is no configured Log Forwarding Profile, this is a finding.","fixText":"Configure a Server Profile for use with Log Forwarding Profile(s);  If email is used, the ISSO and ISSM must be recipients.   \nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding.\nGo to Policies >> DoS Protection\nSelect \"Add\" to create a new policy or select the Name of the Policy to edit it.\nIn the \"DoS Rule\" window, complete the required fields.\nIn the \"Option/Protection\" tab, in the \"Log Forwarding\" field, select the configured Log Forwarding Profile.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002664"]},{"vulnId":"V-207715","ruleId":"SV-207715r971533_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.","description":"Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.\n\nCJCSM 6510.01B, \"Cyber Incident Handling Program\", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.\n\nAlert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.\n\nAlerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).\nView the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.\n \nView the Log Forwarding Profiles; this is under Objects >> Log Forwarding.  Determine which Server Profile is associated with each Log Forwarding Profile.\nView the Security Policies that are used to filter traffic between zones or subnets.\nIf the \"Profile\" column does not display the Antivirus Profile symbol, this is a finding.\n\nIf the \"Options\" column does not display the Log Forwarding Profile symbol, this is a finding.","fixText":"Configure a Server Profile for use with Log Forwarding Profile(s);  If email is used, the ISSO and ISSM must be recipients.   \nConfigure a Log Forwarding Profile; this is under Objects >> Log Forwarding.\nGo to Objects >> Security Profiles >> Antivirus\nSelect \"Add\" to create a new Antivirus Profile or select the name of the profile to edit it.\n\nUse the Antivirus Profile in a Security Policy.\nGo to Policies >> Security\nSelect an existing policy rule or select \"Add\" to create a new one.\nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Profile Type\" field, select \"Profiles\".  The window will change to display the different categories of Profiles.  \nIn the \"Actions\" tab in the \"Profile Setting\" section; in the \"Antivirus\" field, select the configured Antivirus Profile.\nSelect \"OK\".\nIn the \"Actions\" tab in the \"Log Setting\" section, select \"Log At Session End\".  \nIn the \"Actions\" tab in the \"Log Setting\" section; in the \"Log Forwarding\" field, select the log forwarding profile from drop-down list.\nSelect \"OK\". \nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-002664"]},{"vulnId":"V-207716","ruleId":"SV-207716r856630_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must off-load log records to a centralized log server in real-time.","description":"Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.\n\nOff-loading is a common process in information systems with limited audit storage capacity. The audit storage on the device is used only in a transitory fashion until the system can communicate with the centralized log server designated for storing the audit records, at which point the information is transferred. However, DoD requires that the log be transferred in real-time which indicates that the time from event detection to off-loading is seconds or less.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"To view a syslog server profile:\nGo to Device >> Server Profiles >> Syslog\nIf there are no Syslog Server Profiles present, this is a finding.\n\nSelect each Syslog Server Profile; if no server is configured, this is a finding.\n\nView the log-forwarding profile to determine which logs are forwarded to the syslog server.\nGo to Objects >> Log forwarding\nIf no Log Forwarding Profile is present, this is a finding.\n\nThe  Log Forwarding Profile window has five columns.  If there are no Syslog Server Profiles present in the \"Syslog\" column for the Traffic Log Type, this is a finding.\n\nIf there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding.\n \nGo to Device >> Log Settings >> System Logs\nThe list of Severity levels is displayed.\nIf any of the Severity levels does not have a configured Syslog Profile, this is a finding.\n\nGo to Device >> Log Settings >> Config Logs.\nIf the \"Syslog\" field is blank, this is a finding.","fixText":"To create a syslog server profile:\nGo to Device >> Server Profiles >> Syslog\nSelect \"Add\". \nIn the Syslog Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information.\nName: Name of the syslog server\nServer: Server IP address where the logs will be forwarded to\nPort: Default port 514\nFacility: Select from the drop-down list.\nSelect \"OK.\n\nAfter you create the Server Profiles that define where to send your logs, you must enable log forwarding. \nThe way you enable forwarding depends on the log type:\nTraffic Logs—You enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded.\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding.\nThe \"Log Forwarding Profile\" window appears.  Note that it has five columns.  In the \"Syslog\" column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK.\n\nWhen the \"Log Forwarding Profile\" window disappears, the screen will show the configured log-forwarding profile.\nThreat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding\nThe \"Log Forwarding Profile\" window appears.  Note that it has five columns.  In the \"Syslog\" column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the \"Log Forwarding Profile\" window disappears, the screen will show the configured log-forwarding profile.\nSystem Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> System Logs\nThe list of severity levels is displayed.\nYou must select a Server Profile for each severity level you want to forward.  \nSelect each severity level in turn; with each selection, the \"Log Systems - Setting\" window will appear.  \nIn the \"Log Systems - Setting\" window, in the \"Syslog\" drop-down box, select the configured Server Profile.\nSelect \"OK.\n\nConfig Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> Config Logs\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Log Settings Config\" window, in the \"Syslog\" drop-down box, select the configured Server Profile.\nSelect \"OK.\n\nFor Traffic Logs and Threat Logs, use the log forwarding profile in the security rules.\nGo to Policies >> Security Rule\nSelect the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.\nGo to Actions >> Log forwarding\nSelect the log forwarding profile from drop-down list.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-001851"]}]}