{"stig":{"title":"Palo Alto Networks NDM Security Technical Implementation Guide","version":"3","release":"3"},"checks":[{"vulnId":"V-228639","ruleId":"SV-228639r1082941_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must enforce the limit of three consecutive invalid logon attempts.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.","checkContent":"Go to Device >> Authentication Profile.\nCheck the authentication profile used for the local account used for the account of last resort.\n\nIf the \"Failed Attempts (#)\" field is not set to \"3\", this is a finding.","fixText":"Configure the authentication profile associated with the account of last resort with lockout settings of three failed attempts, which is the only local login account.\n\n1. Go to Device >> Authentication Profile.\n2. Select the configured authentication profile or select \"Add\" (in the bottom-left corner of the pane) to create a new one.\n3. In the \"Authentication Profile\" field, enter the name of the authentication profile that will be used to control each person's authentication process.\n4. The \"Lockout Time (min)\" field is the lockout duration; this must be set to \"15\". \n5. In the \"Failed Attempts\" field, enter \"3\".\n6. Select \"OK\".","ccis":["CCI-000044"]},{"vulnId":"V-228640","ruleId":"SV-228640r960843_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.","description":"Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.","checkContent":"View the logon screen of the Palo Alto Networks security platform.  A white text box at the bottom of the screen will contain the configured text.\nIf it is blank (there is no white text box) or the wording is not one of the approved banners, this is a finding.\n\nThis is the approved verbiage for applications that can accommodate banners of 1300 characters:\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"","fixText":"Go to Device >> Setup >> Management >> General Settings (\"Edit\" icon) >> Login Banner\nType in the required text\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000048"]},{"vulnId":"V-228642","ruleId":"SV-228642r960885_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.  \n\nBy default, the Configuration Log contains the administrator username, client (Web or CLI), and date and time for any changes to configurations and for configuration commit actions.  The System Log also shows both successful and unsuccessful attempts for configuration commit actions.\n\nThe System Log and Configuration Log can be configured to send log messages by severity level to specific destinations; the Panorama management console, an SNMP console, an e-mail server, or a syslog server.  Since both the System Log and Configuration Log contain information concerning the use of privileges, both must be configured to send messages to a syslog server at a minimum.","checkContent":"Go to Device >> Log Settings >> System\nIf any severity level does not have a Syslog Profile, this is a finding.","fixText":"Create a syslog server profile. \nGo to Device >> Server Profiles >> Syslog\nSelect \"Add\" \nIn the \"Syslog Server Profile\", enter the name of the profile; select \"Add\".\nIn the \"Servers\" tab, enter the required information.\nName: Name of the syslog server\nServer: Server IP address where the logs will be forwarded to\nPort: Default port 514\nFacility: Select from the drop down list\nSelect \"OK\".\n\nGo to Device >> Log Settings >> System\nFor each severity level, select which destinations should receive the log messages.\nNote: The \"Syslog Profile\" field must be completed.\n\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000172"]},{"vulnId":"V-228643","ruleId":"SV-228643r960900_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must produce audit log records containing information (FQDN, unique hostname, management IP address) to establish the source of events.","description":"In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.  The source may be a component, module, or process within the device or an external session, administrator, or device.  Associating information about where the source of the event occurred provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured device.\n\nThe device must have a unique hostname that can be used to identify the device; fully qualified domain name (FQDN), hostname, or management IP address is used in audit logs to identify the source of a log message.","checkContent":"Go to Device >> Setup >> Management\nIn the \"General Settings\" window, if the \"hostname\" field does not contain a unique identifier, this is a finding.\n\nGo to Device >> Setup >> Management\nIn the \"Logging and Reporting Settings\" pane, if the \"Send Hostname in Syslog\" does not show either \"FQDN\", \"hostname\", \"ipv4-address\", or \"ipv6-address\", this is a finding.","fixText":"Set a unique hostname.\nGo to Device >> Setup >> Management\nin the \"General Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"General Settings\" window, in the \"hostname\" field; enter a unique hostname. \nSelect \"OK\".\n\nConfigure the device to send the FQDN, hostname, ipv4-address, or ipv6-address with log messages.\nDevice >> Setup >> Management\nClick the \"Edit\" icon in the \"Logging and Reporting Settings\" section.\nSelect the \"Log Export and Reporting\" tab.\nSelect one of the following options from the \"Send Hostname in the Syslog\" drop-down list:\nFQDN — (the default) Concatenates the hostname and domain name defined on the sending device.\nhostname — Uses the hostname defined on the sending device.\nipv4-address —Uses the IPv4 address of the interface used to send logs on the device. By default, this is the management interface of the device.\nipv6-address —Uses the IPv6 address of the interface used to send logs on the device. By default, this is the management interface of the device. \nNote that the last two selections must be consistent with the IP address used by the management interface.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-000133"]},{"vulnId":"V-228645","ruleId":"SV-228645r1043177_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems.\n\nNetwork devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component.\n\nTo support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\nThe Palo Alto Networks security platform uses a hardened operating system in which unnecessary services are not present.  The device has a DNS, NTP, update, and e-mail client installed.  Note that these are client applications and not servers; additionally, each has a valid purpose.  However, local policy may dictate that the update service, e-mail client, and statistics (reporting) service capabilities not be used. DNS can be either \"Server\" or \"Proxy\"; both are allowed unless local policy declares otherwise. NTP and SNMP are necessary functions.","checkContent":"Go to Device >> Setup >> Services\nIn the \"Services\" window, view which services are configured.\nNote: DNS can be either \"Server\" or \"Proxy\"; both are allowed unless local policy declares otherwise.\nNote: The Palo Alto Networks security platform cannot be a DNS server, only a client or proxy.\n\nNTP is a necessary service.\nNote: The Palo Alto Networks security platform cannot be an NTP server, only a client.\n\nGo to Device >> Setup >> Management\nIn the \"Management Interface Settings\" window, view the enabled services.\nNote: Which management services are enabled.  HTTPS, SSH, ping, and SNMP, are normally allowed.\n  \nIf User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP, or HTTP OCSP is present, verify with the ISSO that this has been authorized.\nGo to Device >> Setup >> Operations tab>> Miscellaneous\nSelect SNMP Setup.\nIn the \"SNMP Setup\" window, check if SNMP V3 is selected.\nIf unauthorized services are configured, this is a finding.","fixText":"Go to Device >> Setup >> Services\nIn the \"Services\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nNote: DNS can be either \"Server\" or \"Proxy\"; both are allowed unless local policy declares otherwise.\nNote: The Palo Alto Networks security platform cannot be a DNS server, only a client or proxy.\n\nNTP is a necessary service.\nNote: The Palo Alto Networks security platform cannot be an NTP server, only a client.\n\nGo to Device >> Setup >> Management\nIn the \"Management Interface Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Management Interface Settings\" window, select HTTP OCSP, HTTPS, SSH,  SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP if these protocols will be used.  \nSelect \"OK\".\nNote: SNMP Versions 1 and 2 are not considered secure; use SNMP Version 3.\n\nDevice >> Setup >> Operations tab>> Miscellaneous\nSelect SNMP Setup.\nIn the \"SNMP Setup\" window, select V3. \nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000382"]},{"vulnId":"V-228647","ruleId":"SV-228647r960993_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.","description":"A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack.  An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.\n\nTechniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.  Of the three authentication protocols on the Palo Alto Networks security platform, only Kerberos is inherently replay-resistant.  If LDAP is selected, TLS must also be used.  If RADIUS is used, the device must be operating in FIPS mode.","checkContent":"Ask the Administrator which form of centralized authentication server is being used. \nNavigate to the appropriate window to view the configured server(s). \nFor RADIUS, go to Device >> Server Profiles >> RADIUS\nFor LDAP, go to Device >> Server Profiles >> LDAP\nFor Kerberos, go to Device >> Server Profiles >> Kerberos \n\nIf Kerberos is used, this is a not finding.\n\nIf LDAP is used, view the LDAP Server Profile; if the SSL checkbox is not checked, this is a finding.\n\nIf RADIUS is used, use the command line interface to determine if the device is operating in FIPS mode. Enter the CLI command \"show fips-mode\" or the command show fips-cc (for more recent releases).\n\nIf FIPS mode is set to \"off\", this is a finding.","fixText":"To configure the Palo Alto Networks security platform to use an LDAP server with SSL/TLS.\nGo to Device >> Server-Profiles >> LDAP\nSelect \"Add\" (lower left of window).\nPopulate the required fields.\nEnter the name of the profile in the \"Name\" field.\n\nIn the server box:\nEnter the name of the server in the \"Name\" field.\nEnter the IP Address of the server. \nEnter the Port number the firewall should use to connect to the LDAP server (default=389 for LDAP; 636 for LDAP over SSL). \nEnter the LDAP Domain name to prepend to all objects learned from the server. The value entered here depends on the specific deployment. If using Active Directory, enter the NetBIOS domain name, not a FQDN (for example, enter acme, not acme.com). Note that if collecting data from multiple domains, it is necessary to create separate server profiles. If using a global catalog server, leave this field blank.\nSelect the Type of LDAP server connecting to. The correct LDAP attributes in the group mapping settings will automatically be populated based on the selection.\nIn the Base field, select the DN that corresponds to the point in the LDAP tree where the firewall is to begin its search for user and group information.\nSelect (check) the SSL checkbox.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001941"]},{"vulnId":"V-228648","ruleId":"SV-228648r1018774_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must enforce a minimum 15-character password length.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that needs to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"Minimum Length\" field is not \"15\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Minimum Length\" field, enter \"15\".\nCheck the \"Enabled\" box, then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-000205"]},{"vulnId":"V-228650","ruleId":"SV-228650r1018775_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that needs to be tested before the password is compromised.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"Minimum Uppercase Letters\" field is not \"1\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Minimum Uppercase Letters\" field, enter \"1\".\nCheck the \"Enabled\" box, then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-000192"]},{"vulnId":"V-228651","ruleId":"SV-228651r1018776_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that needs to be tested before the password is compromised.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"Minimum Lowercase Letters\" field is not \"1\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Minimum Lowercase Letters\" field, enter \"1\".\nCheck the \"Enabled\" box, then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-000193"]},{"vulnId":"V-228652","ruleId":"SV-228652r1018777_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that needs to be tested before the password is compromised.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"Minimum Numeric Letters\" field is not \"1\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Minimum Numeric Letters\" field, enter \"1\".\nCheck the \"Enabled\" box, then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-000194"]},{"vulnId":"V-228653","ruleId":"SV-228653r1018778_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that needs to be tested before the password is compromised.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"Minimum Special Letters\" field is not \"1\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Minimum Special Letters\" field, enter \"1\".\nCheck the \"Enabled box\", then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-001619"]},{"vulnId":"V-228654","ruleId":"SV-228654r1043189_rule","severity":"medium","ruleTitle":"If multifactor authentication is not available and passwords must be used, the Palo Alto Networks security platform must require that when a password is changed, the characters are changed in at least 8 of the positions within the password.","description":"If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Minimum Password Complexity\" window.\nIf the \"New Password Differs by Characters\" field is not \"8\", this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Minimum Password Complexity\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"New Password Differs by Characters\" field, enter \"8\".\nCheck the \"Enabled box\", then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-004066","CCI-000195"]},{"vulnId":"V-228655","ruleId":"SV-228655r961029_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must prohibit the use of unencrypted protocols for network access to privileged accounts.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nNetwork devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.","checkContent":"Go to Device >> Setup >> Management\nView the \"Management Interface Settings\" pane.\nIf either Telnet or HTTP is listed in the \"Services\" field, this is a finding.","fixText":"Go to Device >> Setup >> Management\nIn the \"Management Interface Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).  In the \"Management Interface Settings\" window, make sure that HTTP and Telnet are not checked (enabled). \nIf they are not checked, select either \"OK\" or \"Cancel\".\nIf either one is checked, select the check box to disable it, then select \"OK\".\nIf any changes were made, commit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000197"]},{"vulnId":"V-228658","ruleId":"SV-228658r961068_rule","severity":"high","ruleTitle":"The Palo Alto Networks security platform must terminate management sessions after 10 minutes of inactivity except to fulfill documented and validated mission requirements.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nDevice management sessions are normally ended by the Administrator when he or she has completed the management activity.  The session termination takes place from the web client by selecting \"Logout\" (located at the bottom-left of the GUI window) or using the command line commands \"exit\" or \"quit\" at Operational mode.","checkContent":"Go to Device >> Setup >> Management.\nView the \"Authentication Settings\" pane.\nIf the \"Idle Timeout (min)\" field is not \"10\" or less, ask the Administrator to produce documentation signed by the Authorizing Official that the configured value exists to support mission requirements.\nIf this documentation is not made available, this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Authentication Settings\" pane, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Idle Timeout (min)\" field, enter \"10\", then select \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-001133"]},{"vulnId":"V-228659","ruleId":"SV-228659r961863_rule","severity":"medium","ruleTitle":"Administrators in the role of Security Administrator,  Cryptographic Administrator, or Audit Administrator must not also have the role of Audit Administrator.","description":"The Palo Alto Networks security platform has both pre-configured and configurable Administrator roles. Administrator roles determine the functions that the administrator is permitted to perform after logging in. Roles can be assigned directly to an administrator account, or define role profiles, which specify detailed privileges, and assign those to administrator accounts.\n\nThere are three preconfigured roles designed to comply with Common Criteria requirements - Security Administrator, Audit Administrator, and Cryptographic Administrator. Of the three, only the Audit Administrator can delete audit records.  The Palo Alto Networks security platform can use both pre-configured and configurable Administrator roles.","checkContent":"For the roles of Security Administrator, Cryptographic Administrator, or Audit Administators, verify the same individual does not have more than one of these roles.\n\nIf the Palo Alto Networks security platform has any accounts where the same person is in the role of Security Administrator, Cryptographic Administrator, or Audit Administrator, this is a finding.","fixText":"Do not assign or configure more than one account to the same Administrator. Also, neither the Security Administrator nor the Cryptographic Administrator can be have the role of Audit Administrator.\n\nNote that the system allows each account to have only one role assigned. However, individuals, either accidentally or intentionally, may have more than one account.","ccis":["CCI-000366","CCI-001314"]},{"vulnId":"V-228660","ruleId":"SV-228660r961863_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.\n\nThis should not be configured in Device >> Setup >> Management >> Authentication Settings; instead, an authentication profile should be configured with lockout settings of three failed attempts and a lockout time of zero minutes.  The Lockout Time is the number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked.","checkContent":"Go to Device >> Administrators.\nIf there is no authentication profile configured for each account (aside from the emergency administration account), this is a finding.\n\nNote which authentication profile is used for each account.\nGo to Device >> Authentication Profile.\nCheck the authentication profile used for each account (noted in the previous step). \nIf the Lockout Time is not set to \"0\" (zero), this is a finding.","fixText":"This should not be configured in Device >> Setup >> Management >> Authentication Settings; instead, an authentication profile should be configured with lockout settings of three failed attempts and a lockout time of zero minutes.\nGo to Device >> Authentication Profile\nSelect the configured authentication profile, or select \"Add\" (in the bottom-left corner of the pane) to create a new one.\nIn the \"Authentication Profile\" field, enter the name of the authentication profile that will be used to control each person's authentication process.\nThe \"Lockout Time (min)\" field is the lockout duration; this must be set to \"0\".  This will keep the lockout in effect until it is manually unlocked.\nIn the \"Failed Attempts\" field, enter \"3\".\nSelect \"OK\".\n\nApply the authentication profile to the Administrator accounts.\nGo to Device >> Administrators\nSelect each configured account, or select \"Add\" (in the bottom-left corner of the pane) to create a new one.\nIn the \"Authentication Profile\" field, enter the configured authentication profile.\nSelect \"OK\".\n\nThis authentication profile should not be applied to the emergency administration account since it has special requirements.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-002238"]},{"vulnId":"V-228661","ruleId":"SV-228661r961863_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. This could lead to the loss of audit information. Note that while the network device must generate the alert, notification may be done by a management server.","checkContent":"Go to Device >> Log Settings >> Alarms\nIf the Traffic Log DB, Threat Log DB, Configuration Log DB, System Log DB, Alarm DB, and HIP Match Log DB fields are not \"75\", this is a finding.","fixText":"Go to Device >> Log Settings >> Alarms\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\n\nIn the \"Alarm Settings\" window:\nSelect the \"Enable Alarms\" box.\nIn the \"Traffic Log DB\" field, enter \"75\".\nIn the \"Threat Log DB\" field, enter \"75\".\nIn the \"Configuration Log DB\" field, enter \"75\".\nIn the \"System Log DB\" field, enter \"75\".\nIn the \"Alarm DB\" field, enter \"75\".\nIn the \"HIP Match Log DB\" field, enter \"75\".\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-001855"]},{"vulnId":"V-228662","ruleId":"SV-228662r997675_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must have alarms enabled.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).","checkContent":"Go to Device >> Log Settings >> Alarms.\nIf the \"Enable Alarms\" box is not checked, this is a finding.","fixText":"Go to Device >> Log Settings >> Alarms.\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Alarm Settings\" window; select the \"Enable Alarms\" box.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-001858","CCI-003831"]},{"vulnId":"V-228663","ruleId":"SV-228663r1018780_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must compare internal information system clocks at least every 24 hours with an authoritative time server.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nNetwork Time Protocol (NTP) is used to synchronize the system clock of a computer to reference time source. The Palo Alto Networks security platform can be configured to use specified NTP servers. For synchronization with the NTP server(s), NTP uses a minimum polling value of 64 seconds and a maximum polling value of 1024 seconds. These minimum and maximum polling values are not configurable on the firewall.","checkContent":"Go to Device >> Setup >> Services.\nIn the \"Services\" window, the names or IP addresses of the Primary NTP Server and Secondary NTP Server must be present.\nIf the \"Primary NTP Server\" and \"Secondary NTP Server\" fields are blank, this is a finding.","fixText":"Go to Device >> Setup >> Services.\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Services\" window, in the NTP tab, in the \"Primary NTP Server Address\" field and the \"Secondary NTP Server Address\" field, enter the IP address or hostname of the NTP servers.\n\nIn the \"Authentication Type\" field, select one of the following:\nSymmetric Key; this option uses symmetric key exchange, which are shared secrets. Enter the key ID, algorithm, authentication key, and confirm the authentication key; for the algorithm, select \"SHA1\".\nAutokey; this option uses auto key, or public key cryptography.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-004923","CCI-001891"]},{"vulnId":"V-228664","ruleId":"SV-228664r1018781_rule","severity":"low","ruleTitle":"The Palo Alto Networks security platform must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. \n\nThe Palo Alto Networks security platform can be configured to use specified Network Time Protocol (NTP) servers. NTP is used to synchronize the system clock of a computer to reference time source. Sources outside of the configured acceptable allowance (drift) may be inaccurate. When properly configured, NTP will synchronize all participating computers to within a few milliseconds of the reference time source.","checkContent":"Go to Device >> Setup >> Services.\nIn the \"Services\" window, the names or IP addresses of the Primary NTP Server and Secondary NTP Server must be present.\nIf the \"Primary NTP Server\" and \"Secondary NTP Server\" fields are blank, this is a finding.","fixText":"Go to Device >> Setup >> Services.\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Services\" window, in the \"Primary NTP Server Address\" field and the \"Secondary NTP Server Address\" field, enter the IP address or hostname of the NTP servers.\n\nIn the \"Authentication Type\" field, select one of the following:\nNone (default); this option disables NTP authentication.\nSymmetric Key; this option uses symmetric key exchange, which are shared secrets. Enter the key ID, algorithm, authentication key, and confirm the authentication key.\nAutokey; this option uses auto key, or public key cryptography.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-004926","CCI-004923","CCI-002046"]},{"vulnId":"V-228665","ruleId":"SV-228665r1018782_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.","description":"The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. \n\nDOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region from the primary time source.","checkContent":"Go to Device >> Setup >> Services.\nIf there is only one NTP Server configured, this is a finding.\n\nAsk the firewall administrator where the Primary NTP Server and Secondary NTP Server are located; if they are not in different geographic regions, this is a finding.","fixText":"Go to Device >> Setup >> Services.\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Services\" window, in the \"Primary NTP Server Address\" field and the \"Secondary NTP Server Address\" field, enter the IP address or hostname of the NTP servers.\n\nIn the \"Authentication Type\" field, select one of the following:\nNone (default); this option disables NTP authentication.\nSymmetric Key; this option uses symmetric key exchange, which are shared secrets. Enter the key ID, algorithm, authentication key, and confirm the authentication key.\nAutokey; this option uses auto key, or public key cryptography.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-004928","CCI-004922","CCI-001893"]},{"vulnId":"V-228666","ruleId":"SV-228666r961443_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.  Time stamps generated by the application include date and time and must be expressed in Coordinated Universal Time (UTC), also known as Zulu time, a modern continuation of Greenwich Mean Time (GMT).","checkContent":"Go to Device >> Setup >> Management\nIn the \"General Settings\" window, if the time zone is not set to \"GMT\" or \"UTC\", this is a finding.","fixText":"Go to Device >> Setup >> Management\nIn the \"General Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"General Settings\" window, in the \"Time Zone\" field, select \"GMT\" or \"UTC\" from the list of time zones.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001890"]},{"vulnId":"V-228667","ruleId":"SV-228667r997687_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must accept and verify Personal Identity Verification (PIV) credentials.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12 and as a primary component of layered protection for national security systems.","checkContent":"Go to Device >> Certificate Management >> Certificates.\nIf no DOD Certification Authority (CA) certificates and subordinate certificates are imported, this is a finding.\n\nGo to Device >> Setup >> Management.\nIn the Authentication Settings pane, if the Certificate Profile field is blank, this is a finding.\n\nView the Certificate Profile, if it does not list the DOD CA certificates and subordinate certificates, this is a finding.\n\nIf the Use OCSP checkbox is not selected, this is a finding.","fixText":"Import the DOD CA certificates and subordinate certificates for all of the certificate authorities.\nGo to Device >> Certificate Management >> Certificates.\nSelect the Import icon at the bottom of the pane.\nIn the Import Certificate window, complete the required information.\nSelect \"OK\".\n\nCreate a certificate profile.\nGo to Device >> Setup >> Management.\nIn the Authentication Settings pane, select the select the \"Edit\" icon (the gear symbol in the upper-right corner).\nIn the Authentication Settings window, complete the required information.\nIn the Authentication Profile field, select \"None\".\nIn the Certificate Profile field, select \"New Certificate Profile\". This will change the Authentication Settings window to the Certificate Profile window.\nLeave the username field blank.\nLeave the domain field blank.\n \nIn the Certificate Profile window, complete the required fields.\nIn the CA Certificates section, select \"Add\" to import the DOD certificate authorities.\nSelect the Use OCSP checkbox.\nWhen importing the top level DOD CA Certificate, for the Default OCSP URL field, add the DOD/DISA OCSP URL.\nSelect \"OK\".\nSelect \"OK\" again.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-001953","CCI-004068"]},{"vulnId":"V-228669","ruleId":"SV-228669r961554_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.","description":"This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. Note that HTTP OCSP is permitted to support OCSP where used. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.","checkContent":"Go to Device >> Setup >> Management\nIn the \"Management Interface Settings\" window, view the enabled services.  \nNote: Which management services are enabled.\n\nIf Telnet or HTTP is selected, this is a finding.","fixText":"Go to Device >> Setup >> Management.\nIn the \"Management Interface Settings\" window, select the \"Edit\" icon (the gear symbol in the upper-right corner).\nIn the \"Management Interface Settings\" window, make sure that Telnet or HTTP are not selected.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-002890"]},{"vulnId":"V-228670","ruleId":"SV-228670r961557_rule","severity":"high","ruleTitle":"The Palo Alto Networks security platform must not use SNMP Versions 1 or 2.","description":"SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain access to network management information used to launch an attack against the network.  SNMP Versions 1 and 2 cannot authenticate the source of a message nor can they provide encryption. Without authentication, it is possible for nonauthorized users to exercise SNMP network management functions. It is also possible for nonauthorized users to eavesdrop on management information as it passes from managed systems to the management system.","checkContent":"Go to Device >> Setup >> Operations; in the Miscellaneous pane, select SNMP Setup.\nIn the SNMP Setup window, check if SNMP V3 is selected.  \nIf V3 is not selected, this is a finding.\n\nGo to Device >> Server Profiles >> SNMP Trap.\nView the list of configured SNMP servers; if the Version is not \"v3\", this is a finding.","fixText":"Go to Device >> Setup >> Operations; in the Miscellaneous pane, select SNMP Setup.\nIn the SNMP Setup window, complete the required fields.\nFor the Version, select V3.\nConfigure a view and assign it to a user.\nIn the upper half of the SNMP Setup window, select \"Add\".\nIn the Views window, complete the required fields; obtain the values for the OID and Mask fields from product documentation or vendor support.\nIn the Option field, select \"include\". \nSelect \"OK\".\nIn the lower half of the SNMP Setup window, select \"Add\".\nComplete the required fields.\nSelect \"OK\".\nObtain the engineID of the Palo Alto device by issuing an SNMPv3 GET from the management workstation against the OID of the Palo Alto device.\nConfigure the SNMPv3 Trap Server profile; go to Device >> Server Profiles >> SNMP Trap; select \"Add\".\nIn the SNMP Trap Server Profile window, complete the required fields. \nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-003123"]},{"vulnId":"V-228671","ruleId":"SV-228671r961860_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must off-load audit records onto a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.  Off-loading is a common process in information systems with limited audit storage capacity.\n\nThe Palo Alto Networks security platform has multiple log types; at a minimum, the Traffic, Threat, System, and Configuration logs must be sent to a Syslog server.","checkContent":"To view a syslog server profile,\nGo to Device >> Server Profiles >> Syslog\nIf there are no Syslog Server Profiles present, this is a finding.\n\nSelect each Syslog Server Profile.\nIf no server is configured, this is a finding.\n\nView the log-forwarding profile to determine which logs are forwarded to the syslog server.\nGo to Objects >> Log forwarding\nIf no Log Forwarding Profile is present, this is a finding.\n\nThe \"Log Forwarding Profile\" window has five columns.  \nIf there are no Syslog Server Profiles present in the Syslog column for the Traffic Log Type, this is a finding.\n\nIf there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding.\n \nGo to Device >> Log Settings >> System Logs\nThe list of Severity levels is displayed.  \nIf any of the Severity levels does not have a configured Syslog Profile, this is a finding.\n\nGo to Device >> Log Settings >> Config Logs\nIf the \"Syslog\" field is blank, this is a finding.","fixText":"To create a syslog server profile:\nGo to Device >> Server Profiles >> Syslog\nSelect \"Add\". \nIn the Syslog Server Profile, enter the name of the profile.\nSelect \"Add\".\nIn the \"Servers\" tab, enter the required information.\nName: Name of the syslog server\nServer: Server IP address where the logs will be forwarded to\nPort: Default port 514\nFacility: Select from the drop-down list.\nSelect \"OK\".\n\nAfter creating the Server Profiles that define where to logs, enable log forwarding.  \nThe way to enable forwarding depends on the log type:\nTraffic Logs—Enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded.\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding\nThe Log Forwarding Profile window appears.  Note that it has five columns.  In the Syslog column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the Log Forwarding Profile window disappears, the screen will show the configured log-forwarding profile.\nThreat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels to forward and then adding it to the security policies, which triggers the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).\nConfigure the log-forwarding profile to select the logs to be forwarded to syslog server.\nGo to Objects >> Log forwarding\nThe Log Forwarding Profile window appears.  Note that it has five columns.  In the \"Syslog\" column, select the syslog server profile for forwarding threat logs to the configured server(s).\nSelect \"OK\".\n\nWhen the Log Forwarding Profile window disappears, the screen will show the configured log-forwarding profile.\nSystem Logs—Enable forwarding of System logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> System Logs\nThe list of severity levels is displayed.\nSelect a Server Profile for each severity level to forward.  \nSelect each severity level in turn; with each selection, the \"Log Systems - Setting\" window will appear.  \nIn the \"Log Systems - Setting\" window, in the \"Syslog drop-down\" box, select the configured Server Profile.\nSelect \"OK\". \nConfig Logs—Enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. \nGo to Device >> Log Settings >> Config Logs\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Log Settings Config\" window, in the \"Syslog drop-down\" box, select the configured Server Profile.\nSelect \"OK\".\n\nFor Traffic Logs and Threat Logs, use the log forwarding profile in the security rules.\nGo to Policies >> Security Rule\nSelect the rule for which the log forwarding needs to be applied.\nApply the security profiles to the rule.\nGo to Actions >> Log forwarding\nSelect the log forwarding profile from drop-down list.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.  Select \"OK\" when the confirmation dialog appears.","ccis":["CCI-001851"]},{"vulnId":"V-228672","ruleId":"SV-228672r997690_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW CJCSM 6510.01B.","description":"CJCSM 6510.01B, \"Cyber Incident Handling Program\", in subsection e.(6)(c) sets forth three requirements for Cyber events detected by an automated system:\nIf the cyber event is detected by an automated system, an alert will be sent to the POC designated for receiving such automated alerts.\nCC/S/A/FAs that maintain automated detection systems and sensors must ensure that a POC for receiving the alerts has been defined and that the IS configured to send alerts to that POC.\nThe POC must then ensure that the cyber event is reviewed as part of the preliminary analysis phase and reported to the appropriate individuals if it meets the criteria for a reportable cyber event or incident.\n\nBy immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged on to the network device. An example of a mechanism to facilitate this would be through the utilization of SNMP traps.\n\nThe Palo Alto Networks security platform can be configured to send messages to an SNMP server and to an email server as well as a Syslog server. SNMP traps can be generated for each of the five logging event types on the firewall: traffic, threat, system, hip, config. For this requirement, only the threat logs must be sent. Note that only traffic that matches an action in a rule will be logged and forwarded. In the case of traps, the messages are initiated by the firewall and sent unsolicited to the management stations. \n\nThe use of email as a notification method may result in a very larger number of messages being sent and possibly overwhelming the email server as well as the POC. The use of SNMP is preferred over email in general, but organizations may want to use email in addition to SNMP for high-priority messages.","checkContent":"Note: The actual method is determined by the organization.\nReview the system/network documentation to determine who the Points of Contact are and which methods are being used. \nIf the selected method is SNMP, verify that the device is configured.\nGo to Device >> Server Profiles.\nIf no SNMP servers are configured, this is a finding.\n \nGo to Objects >> Log Forwarding.\nIf no Log Forwarding Profile is listed, this is a finding.\n\nIf the \"Log Type\" column does not include \"Threat\", this is a finding.\n\nIf any Severity is not listed, this is a finding.","fixText":"For SNMP traps, follow the following steps:\nConfigure the SNMP Trap Destinations; go to Device >> Server Profiles >> SNMP Trap.\nSelect \"Add\".\n\nIn the \"SNMP Trap Server Profile\" window, enter the required information.\nFor SNMP Version, select \"V3\". \nEnter the name of the SNMP Server Profile.\nSelect \"Add\". \nServer—Specify the SNMP trap destination name (up to 31 characters).\nManager—Specify the IP address of the trap destination.\nUser—Specify the SNMP user.\nEngineID—Specify the engine ID of the firewall. The input is a string in hexadecimal representation. The engine ID is any number between 5 to 64 bytes. When represented as a hexadecimal string, this is between 10 and 128 characters (2 characters for each byte) with two additional characters for 0x that must be used as a prefix in the input string.\nAuth Password—Specify the user’s authentication password (minimum 8 characters, maximum of 256 characters, and no character restrictions). Only Secure Hash Algorithm (SHA) is supported.\nPriv Password—Specify the user’s encryption password (minimum 8 characters, maximum of 256 characters, and no character restrictions). Only Advanced Encryption Standard (AES) is supported.\nSelect \"OK\".\n\nConfigure generating \"Traps for Threat\" events:\nGo to Objects >> Log Forwarding.\nSelect \"Add\".\nIn the \"Log Forwarding Profile\" window, enter the required information.\nEnter the name of the Log Forwarding Profile.\nIn the \"Threat Settings\" section, in the \"SNMP Trap\" field for each Severity, select the SNMP Trap Server Profile.\nSelect \"OK\".\n\nAdd the Log Forwarding Profile to the security policies to trigger log forwarding to the SNMP server.\nGo to Policies >> Security.\nSelect the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.\nGo to \"Actions\" (tab); in the \"Log forwarding\" field, select the \"log forwarding\" profile.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-001274","CCI-003831"]},{"vulnId":"V-228673","ruleId":"SV-228673r1082978_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must employ centrally managed authentication server(s).","description":"The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.\n\nOnly the emergency administration account, also known as the account of last resort, can be locally configured on the device.","checkContent":"Ask the administrator which form of centralized authentication server is being used. This requirement is not applicable to the local account of last resort.\n\nNavigate to the appropriate window to view the configured server(s). \nFor RADIUS, go to Device >> Server Profiles >> RADIUS.\nFor LDAP, go to Device >> Server Profiles >> LDAP.\nFor Kerberos, go to Device >> Server Profiles >> Kerberos.\n\nIf there are no servers configured in the window that match the specified form of centralized authentication, this is a finding.","fixText":"The device allows three different authentication protocols: RADIUS, LDAP, and Kerberos. In this explanation, LDAP is used. \n\nTo configure the Palo Alto Networks security platform to use an LDAP server, follow these steps:\n1. Go to Device >> Server-Profiles >> LDAP.\n2. Select \"Add\" (lower left of window).\n3. Populate the required fields.\na. Enter the name of the profile in the \"Name\" field.\nb. In the server box enter the name of the server in the \"Name\" field.\nc. Enter the IP Address of the server. \nd. Enter the Port number the firewall should use to connect to the LDAP server (default=389 for LDAP; 636 for LDAP over SSL). \ne. Enter the LDAP Domain name to prepend to all objects learned from the server. The value entered here depends on the specific deployment. If using Active Directory, enter the NetBIOS domain name; not an FQDN (for example, enter acme, not acme.com). Note that if collecting data from multiple domains, it is necessary to create separate server profiles. If using a global catalog server, leave this field blank.\n4. Select the Type of LDAP server that will be connected. The correct LDAP attributes in the group mapping settings will automatically be populated based on the selection.\n5. In the Base field, select the DN that corresponds to the point in the LDAP tree where the firewall is to begin its search for user and group information.\n6. Select the SSL checkbox.\n7. Select \"OK\".\n\nTo create an Authentication Profile using the newly created LDAP server, follow these steps:\n1. Go to Device >> Authentication Profile.\n2. Select \"Add\" (lower left of window).\n3. Populate the required fields as needed.\na. In the Authentication field, select \"LDAP\".\nb. In the Server Profile field, select the configured LDAP server profile.\nc. In the Login Attribute field, enter “sAMAccountName”. \n4. Select \"OK\".\n\nApply the authentication profile to the Administrator accounts.\n1. Go to Device >> Administrators.\n2. Select each configured account or select \"Add\" (in the bottom-left corner of the pane) to create a new one.\n3. In the \"Authentication Profile\" field, enter the configured LDAP authentication profile.\n4. Select \"OK\".\n\nNote: The name of the administrator must match the name of the user in the LDAP server.\nNote: The authentication profile must not be applied to the emergency administration account since it has special requirements.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.\n\nNote that the emergency administration account is the only account that is configured locally on the device itself.","ccis":["CCI-000366","CCI-000372"]},{"vulnId":"V-228674","ruleId":"SV-228674r961863_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must use DoD-approved PKI rather than proprietary or self-signed device certificates.","description":"DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling mandates that certificates must be issued by the DoD PKI or by a DoD-approved PKI for authentication, digital signature, or encryption.","checkContent":"Go to Device >> Certificate Management >> Certificates\nInstalled Certificates are listed in the \"Device Certificates\" tab.\nIf any of the have the name or identifier of a non-approved source in the \"Issuer\" field, this is a finding.","fixText":"Obtain a Device Certificate from the DoD PKI or from a DoD-approved PKI:\nGo to Device >> Certificate Management >> Certificates\nSelect \"Import\" (at the bottom of the pane). \nIn the \"Import Certificate\" pane, complete each field.\nSelect \"OK\".","ccis":["CCI-000366","CCI-001159"]},{"vulnId":"V-228675","ruleId":"SV-228675r961863_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must not use Password Profiles.","description":"Password profiles override settings made in the Minimum Password Complexity window.  If Password Profiles are used they can bypass password complexity requirements.","checkContent":"Go to Device >> Password Profiles\nIf there are configured Password Profiles, this is a finding.","fixText":"Go to Device >> Password Profiles\nIf the screen is blank (no configured Password Profiles), do nothing.\n\nIf there are configured Password Profiles, identify which accounts are using them and bring this to the attention of the ISSO immediately.\nDelete the Password Profiles when authorized to make changes to the device in accordance with local change management policies.","ccis":["CCI-000366"]},{"vulnId":"V-228676","ruleId":"SV-228676r961863_rule","severity":"high","ruleTitle":"The Palo Alto Networks security platform must not use the default admin account password.","description":"To assure accountability and prevent unauthenticated access, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential misuse and compromise of the system.\n\nThe use of a default password for any account, especially one for administrative access, can quickly lead to a compromise of the device and subsequently, the entire enclave or system.  The \"admin\" account is intended solely for the initial setup of the device and must be disabled when the device is initially configured.  The default password for this account must immediately be changed at the first login of an authorized administrator.","checkContent":"Open a web browser at an authorized workstation and enter the management IP address of the Palo Alto Networks security platform.\nUse HTTP Secure (HTTPS) instead of HTTP since HTTP is disabled by default.\nThe logon window will appear.\nEnter \"admin\" into both the \"Name\" and \"Password\" fields.  \nIf anything except the logon screen with the message \"Invalid username or password\" appears, this is a finding.","fixText":"Go to Device >> Administrators\nSelect the admin user.\nIn the \"Old Password\" field, enter \"admin\".\nIn the \"New Password\" field, enter the new password.\nIn the \"Confirm New Password\" field, enter the new password.\nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366","CCI-000764"]},{"vulnId":"V-228677","ruleId":"SV-228677r961863_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must generate an audit log record when the Data Plane CPU utilization is 100%.","description":"Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.\n\nIf the Data Plane CPU utilization is 100%, this may indicate an attack or simply an over-utilized device.  In either case, action must be taken to identify the source of the issue and take corrective action.","checkContent":"Go to Device >> Setup >> Management\nIn the \"Logging and Reporting Settings\" pane.\nIf the \"Enable Log on High DP Load\" check box is not selected, this is a finding.","fixText":"Go to Device >> Setup >> Management\nIn the \"Logging and Reporting Settings\" pane, select the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Log Export and Reporting\" tab, select the \"Enable Log on High DP Load\" check box.  \nSelect \"OK\".\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-000366"]},{"vulnId":"V-228678","ruleId":"SV-228678r961506_rule","severity":"medium","ruleTitle":"The Palo Alto Networks security platform must authenticate Network Time Protocol sources.","description":"If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server.  This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affected scheduled actions.  NTP authentication is used to prevent this tampering by authenticating the time source.","checkContent":"Go to Device >> Setup >> Services\nIn the \"Services\" window, the Primary NTP Server Authentication Type and Secondary NTP Server Authentication Type must be either Symmetric Key or Autokey. If the \"Primary NTP Server Authentication Type\" and \"Secondary NTP Server Authentication Type\" fields are \"none\", this is a finding.","fixText":"Go to Device >> Setup >> Services\nSelect the \"Edit\" icon (the gear symbol in the upper-right corner of the pane).\nIn the \"Services\" window, in the NTP tab, in the \"Primary NTP Server Address\" field and the \"Secondary NTP Server Address\" field, enter the IP address or hostname of the NTP servers.\n\nIn the \"Authentication Type\" field, select one of the following:\nSymmetric Key; this option uses symmetric key exchange, which are shared secrets. Enter the key ID, algorithm, authentication key, and confirm the authentication key; for the algorithm, select \"SHA1\".\nAutokey; this option uses auto key, or public key cryptography.\nCommit changes by selecting \"Commit\" in the upper-right corner of the screen.\nSelect \"OK\" when the confirmation dialog appears.","ccis":["CCI-001967"]},{"vulnId":"V-268323","ruleId":"SV-268323r1084266_rule","severity":"medium","ruleTitle":"The Palo Alto device must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.","description":"Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.\n\nThe account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit must be added to the envelope as a record. Administrators must secure the credentials and disable the root account (if possible) when not needed for system administration functions.","checkContent":"Navigate to Device >> Administrators.\nReview the user list.\n\nIf there is an authentication profile/user account configured (and enabled) for any account other than the emergency administration account, this is a finding.","fixText":"Remove local users other than the designated account of last resort.\n\nUsing the Console UI:\nNavigate to Device >> Administrators.\nSelect and delete local users other than the account of last resort.\n\nNote: To protect against brute-force attacks, delete the default admin account by creating a new superuser administrator account, logging out, and logging back in using the new account.","ccis":["CCI-001358","CCI-002111"]}]}