Interested in learningmore about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Palo Alto Firewall Security Configuration Benchmark Security configuration benchmarks provide invaluable guidance when auditing, evaluating, or configuring network infrastructure devices. Contributions by CIS (Center for Internet Security), DISA (Defense Information Systems Agency), the NSA, NIST, and SANS provide benchmark guides for a variety of network devices, operating systems, and other IT equipment. It is also common for technology companies themselves to provide these guides for their products, such as Microsoft's Security Baselines. Although best practice recom... AD Copyright SANS Institute Author Retains Full Rights Palo Alto Firewall Security Configuration Benchmark – v.1.1 GIAC (GSNA) Gold Certification Author: Ryan Firth,
[email protected] Advisor: Rob VandenBrink Version 1.0 Accepted: February 13th, 2015 Latest revision (v.1.1): April 15th, 2015 Abstract Security configuration benchmarks provide invaluable guidance when auditing, evaluating, or configuring network infrastructure devices. Contributions by CIS (Center for Internet Security), DISA (Defense Information Systems Agency), the NSA, NIST, and SANS provide benchmark guides for a variety of network devices, operating systems, and other IT equipment. It is also common for technology companies themselves to provide these guides for their products, such as Microsoft’s Security Baselines. Although best practice recommendations are found in abundance on the Palo Alto Networks website, a single security configuration benchmark does not currently exist for Palo Alto firewalls. This paper will combine best practice guidance from Palo Alto, other reputable sources, and real-world experience to provide a comprehensive security benchmark for auditing a Palo Alto firewall running PAN-OS 6.1 software. The intention of this paper is to produce a version 1 draft from which to start a living CIS project—the CIS Palo Alto Firewall Benchmark. Through a formal CIS benchmark project, many other experts will join in to provide input, scrutinize proposals, discuss, and ultimately settle on sound benchmark recommendations useful for a wide variety of organizations interested in securing and/or auditing their Palo Alto firewalls. Once published, the CIS Palo Alto Firewall Benchmark will supersede the recommendations in this paper. Palo Alto Firewall Security Configuration Benchmark 2 Table of Contents 1. INTRODUCTION .......................................................................................................................................... 5 2. PAN-OS 6.1 BENCHMARK ............................................................................................................................ 6 2.1. DEVICE SETUP............................................................................................................................... 6 2.1.1. General Settings .............................................................................................................................. 6 2.1.1.1. Require an appropriate login banner .............................................................................................. 6 2.1.2. Logging and Reporting Settings ...................................................................................................... 7 2.1.2.1. Enable Log on High DP Load ........................................................................................................... 7 2.1.3. Management Interface Settings ..................................................................................................... 8 2.1.3.1. Forbid HTTP and telnet services for device management ............................................................... 8 2.1.3.2. Limit Permitted IP Addresses to those necessary for device management. .................................... 9 2.1.3.3. Require all interface management profiles where telnet, SSH, HTTP, HTTPS, or SNMP is enabled to permit only IP addresses necessary for device management. ..................................................................... 10 2.1.4. Minimum Password Requirements ............................................................................................... 11 2.1.4.1. Require minimum password complexity rules .............................................................................. 11 2.1.4.2. Forbid the use of password profiles .............................................................................................. 13 2.1.5. Authentication Settings (For Device Management) ...................................................................... 14 2.1.5.1. Require an idle timeout value of 10 minutes for device management. ........................................ 14 2.1.5.2. Forbid the use of Authentication Settings for Failed Attempts and Lockout Time. Require an Authentication Profile with Failed Attempts to 3, and lockout time of 15 minutes applied to all but one Superuser account. ........................................................................................................................................... 15 2.1.6. SNMP Polling ................................................................................................................................. 17 2.1.6.1. Require SNMP V3 (If SNMP polling is configured) ......................................................................... 17 2.1.7. Device Services .............................................................................................................................. 18 2.1.7.1. Require verification of update server identity ............................................................................... 18 2.1.7.2. Require redundant NTP services ................................................................................................... 19 2.2. USER IDENTIFICATION ................................................................................................................... 21 2.2.1. User Identification - General ......................................................................................................... 21 2.2.1.1. Require IP-to-username mapping for user traffic ......................................................................... 21 2.2.2. Securing User-ID Probing .............................................................................................................. 22 2.2.2.1. Disable WMI probing if not required............................................................................................. 22 2.2.2.2. Forbid User-ID on external and other non-trusted zones .............................................................. 24 2.2.2.3. Require the use of User-ID’s Include/Exclude Networks section, if User-ID is enabled. Include only trusted internal networks. ................................................................................................................................ 25 2.2.3. User-ID Agent ................................................................................................................................ 26 Author Name, email@address Palo Alto Firewall Security Configuration Benchmark 3 2.2.3.1. Require a dedicated service account for User-ID with minimal permissions (If a User-ID Agent or Integrated User-ID Agent is utilized) ................................................................................................................ 26 2.2.3.2. Forbid Interactive Login rights for the User-ID service account .................................................... 27 2.2.3.4. Require security policies restricting User-ID Agent traffic from crossing into untrusted zones. ... 28 2.3. HIGH AVAILABILITY ...................................................................................................................... 30 2.3.1.1. Require a fully-synchronized High Availability peer ...................................................................... 30 2.3.1.2. For High Availability, require Link Monitoring, Path Monitoring, or both .................................... 31 2.3.1.3. Forbid simultaneously enabling the Preemptive option, and configuring the Passive Link State to shutdown simultaneously. (For an HA pair) ..................................................................................................... 32 2.4. DYNAMIC UPDATES ..................................................................................................................... 33 2.4.1. Scheduled Downloads ................................................................................................................... 33 2.4.1.1. Require the Antivirus Update Schedule is set to Download and Install hourly. ............................ 33 2.4.1.2. Require the Applications and Threats Update Schedule is set to Download and Install Daily. ..... 34 2.4.1.3. Require the WildFire Update Schedule is set to Download and Install every 15 minutes. ............ 36 2.5. WILDFIRE .................................................................................................................................. 37 2.5.1. WildFire General Settings.............................................................................................................. 37 2.5.1.1. Increase WildFire file size upload limits ........................................................................................ 37 2.5.2. WildFire configuration .................................................................................................................. 38 2.5.2.1. forward Require WildFire File Blocking profiles to include any application, any file type, and action set to ...................................................................................................................................................... 38 2.5.2.2. Require a WildFire File Blocking profile for all security policies allowing Internet traffic flows. ... 38 2.5.2.3. Require forwarding of decrypted content ..................................................................................... 39 2.5.2.4. Require all WildFire Session Information Settings to be enabled.................................................. 40 2.5.3. WildFire alerting and verification ................................................................................................. 41 2.5.3.1. Require sending an alert for malware detected through WildFire ............................................... 41 2.5.3.2. Verify WildFire file submission and alerting is functioning as expected ....................................... 43 2.6. SECURITY PROFILES ...................................................................................................................... 45 2.6.1. Antivirus ........................................................................................................................................ 45 2.6.1.1. Require an Antivirus profile configured to block on all decoders except imap and pop3.. ........... 45 2.6.1.2. Require a securely configured Antivirus profile applied to all applicable security policies. .......... 46 2.6.2. Anti-Spyware ................................................................................................................................. 48 2.6.2.1. threats. Require an Anti-Spyware profile configured to block on all severity levels, categories, and ...................................................................................................................................................... 48 2.6.2.2. Require DNS Sinkholing on all Anti-spyware profiles in use. ......................................................... 51 2.6.2.3. Require Passive DNS Monitoring enabled on all Anti-Spyware profiles in use. ............................. 52 2.6.2.4. Require a securely configured Anti-Spyware profile applied to all security policies permitting traffic to the Internet. ...................................................................................................................................... 53 Author Name, email@address ... 69 2...1............... URL Filtering ........ email@address ..... and NOT set to allow for any scan type......2............. 58 2...............................................................................1..................... Data Filtering .............. Forbid using the Service setting of any in a security policy....................................................................... 2.........1.......... 54 2..........................8........................................... 74 2..... Strict Source Routing....................... Require a securely configured URL Filtering profile applied to all security policies allowing traffic to the Internet........ 73 SSL Forward Proxy . .................................. 73 2............................................. mismatched overlapping TCP segment........ Require all zones have Zone Protection Profiles that drop Spoofed IP address......... Require a security policy denying any/all traffic at the bottom of the security policies ruleset...........1.6. SECURITY POLICIES.............6....1... hacking... 73 2......... Require a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies attached to all untrusted zones..................................................1...................1........................................................... 72 2............................... Require a Data Filtering policy set to alert after a threshold of Credit Card or Social Security numbers are detected....... Vulnerability Protection .. Zone Protection profiles .......... 76 4...........................5........ Require a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types attached to all untrusted zones............................. .............8.........6.............. ........5............................... 60 2.4................... Require an SSL Forward Proxy policy for traffic destined to the Internet for all URL categories except financial-services and health-and-medicine....6............. 67 2..................... ............. malware....... proxy-avoidance-and-anonymizers ..... ....................... REFERENCES ....................................... Require a URL Filtering profile with the action of “block” or “override” on the following categories: adult.... 60 2..................... Require a securely configured Vulnerability Protection Profile applied to all security policies allowing traffic...........................................6......... 56 2............4.. Malformed.................. 66 2...................................................6..............2................. ...........3....4................ ........... DECRYPTION ..7.........................4...............7..............6.........6...................2... 55 2........................ 60 2......................................................6.............................4........................... 74 3................8. 64 2.... .... ........ Require SSL Inbound Inspection for all untrusted traffic destined for servers using SSL.. AUDIT CHECKLIST ................................. Require all zones have Zone Protection Profiles with all Reconnaissance Protection settings tuned and enabled.....3................................. and set to default on medium................................. 56 2............. 71 2.....6.............. 70 2.................6..................................................................................... Require the use of PAN-DB URL Filtering .... and informational vulnerabilities..........4................ phishing.................3................... 56 2.......6................................................1. 80 Author Name...................1......... .......1....... low.....................................6..................................4.................. Forbid a utilized URL Filtering profile with any category set to “allow”...................... SSL Inbound Inspection ......8..................................................................................................................2..............................................4......2..3......... .... 57 2.........3.................... ........ 54 2......1...................... Require specific application policies when allowing traffic from an untrusted zone to a more trusted zone..................................................................................................................................3........... ........................... ..........................................6........ 70 2....................... 70 Security Policies ........... and Loose Source Routing IP options.........................6..6............6......6...................7....6...........2...................... 64 2...........7...................5............... Require a Vulnerability Protection profile configured to block at least high and critical vulnerabilities..........................Palo Alto Firewall Security Configuration Benchmark 4 2...1...............................General ..............6.................................................6.............................................1..... Require all HTTP Header Logging options enabled ...7............. 2.....8.......... although incorporating two-factor authentication is superior to password-only authentication. other guidance found in the PAN Community website (https://live.com/documentation... administrator’s guides found in the documentation section of live.. real-world experience... Configuration and day-to-day management of a PAN firewall primarily occurs through the web GUI..com). creating a one size fits all security guide is not possible.... (https://www... 1... Where appropriate.Palo Alto Firewall Security Configuration Benchmark 5 5......1 software. PAN firewalls have a flexible and powerful feature set making them useful in a wide variety of environments and situations.... IT auditors........paloaltonetworks. IT auditors should weigh the overall design... Therefore............ email@address .paloaltonetworks. As with almost any best practices guide... and other security professionals responsible for the configuration...... and SANS. Because of this.. deployment. REVISION HISTORY ..... or management of a PAN firewall............ guidance from well-established security organizations were incorporated. For non-security related topics.....com is a helpful place to start. This benchmark is intended for firewall administrators.html) Recommendations in this benchmark are considered generally acceptable best practice for most environments. this guide will primarily focus on configuration and auditing through the web GUI. practical security benefit and minimum due care are provided in this document... 84 Introduction This security configuration benchmark was created and tested against Palo Alto Networks’ PAN-OS 6...... assessment.......... knowledge base... The recommendations herein were compiled and derived from Palo Alto Networks (PAN) documentation...... The order of topics roughly follows the flow and logical groupings of the web interface... recommendations around the latter is considered minimum due care.... MITRE.... such as NIST. Only recommendations providing a clear.. which can be granularly controlled to provide read-only access for IT auditors........ For example..paloaltonetworks. and practical............. or additional configuration information......... careful testing and consideration should be exercised when deciding if a recommendation is appropriate for a specific environment.... architectural Author Name. and other security controls in place when reporting findings based on this benchmark. This banner should. you assume total responsibility of the consequences. 2.1 Benchmark 2. ideally approved by the organization’s legal team. coordination. and should not contain the word “welcome” or similar words of invitation. Require an appropriate login banner Location: Device > Setup > Management > General Settings Recommendation: Configure a login banner. Acknowledgements: Albert Estevez.Palo Alto Firewall Security Configuration Benchmark 6 considerations.1.1. Device Setup 2.1. The author. at minimum. PAN-OS 6. provide notice of logging or monitoring. Author Name. General Settings 2.1. and Palo Alto Networks are not liable for any damages incurred directly or indirectly from the use of this document. By utilizing the guidance contained in this document.1. validation. and support throughout the creation of this benchmark. email@address . BD Solutions Architect at Palo Alto Networks for timely feedback. prohibit unauthorized access.1. contributors. Others at Palo Alto Networks and the PAN and SANS communities for the support and feedback. Enable Log on High DP Load Location: Author Name.1. the login banner greatly diminishes a defendant’s claim of ignorance.com/docs/DOC-7964 2. the risk of unintentional access to the device by unauthorized users is reduced.Palo Alto Firewall Security Configuration Benchmark 7 Rationale: Through a properly stated login banner.paloaltonetworks.2. Logging and Reporting Settings 2. Should legal action take place against a person accessing the device without authorization.2.1.1. References: “How to Configure the Device Login Banner” https://live. email@address . 3.1.paloaltonetworks. Rationale: When the device’s packet processing load reaches 100%. a system log entry is created when the device’s packet processing load reaches 100% utilization.3. Forbid HTTP and telnet services for device management Location: Device > Setup > Management > Management Interface Settings Recommendation: HTTP and Telnet options should not be checked. a degradation in the availability of services accessed through the device can occur. email@address . References: “What is "Enable Log on High DP Load" in PAN-OS 5.0?” https://live.com/docs/DOC-4075 2.Palo Alto Firewall Security Configuration Benchmark 8 Device > Setup > Management > Logging and Reporting Settings Recommendation: Enable the Log on High DP Load feature.1.1. Management Interface Settings 2. Author Name. When this option in selected. Author Name. email@address . References: “What could Cause a Large Number of Auth-Fail Events in the System Logs?” https://live.paloaltonetworks.Palo Alto Firewall Security Configuration Benchmark 9 Rationale: Management access over clear-text services such as telnet or HTTP could result in a compromise of administrator credentials.1.com/docs/DOC-3703 “How to Configure In-Band Management” https://live.paloaltonetworks.3. Location: Device > Setup > Management > Management Interface Settings Recommendation: Permit only the IP addresses necessary for management of the device.com/docs/DOC-1153 2. Limit Permitted IP Addresses to those necessary for device management.2. HTTP. HTTPS.3. References: “Allowing Specific IP Addresses to Access the Palo Alto Network Device” https://live. or SNMP is enabled to permit only IP addresses necessary for device management. Require all interface management profiles where telnet. Permitting management access from other IP addresses increases the risk of unauthorized access through password guessing or stolen credentials. SSH. email@address . Location: Network > Network Profiles > Interface Mgmt Recommendation: For all interface management profiles with enabled protocols providing device management. only IP addresses necessary for device management should be specified.1.3.com/docs/DOC-8042 2.paloaltonetworks.Palo Alto Firewall Security Configuration Benchmark 1 0 Rationale: Management access to the device should be restricted to the IP addresses used by firewall administrators. Author Name. if the Ping-SSH-HTTPS profile were missing a Permitted IP Addresses list.Palo Alto Firewall Security Configuration Benchmark 1 1 Rationale: If a Permitted IP Addresses list is either not specified or too broad.1. an attacker may gain the ability to attempt management access from unintentional locations.paloaltonetworks. References: “Allowing Specific IP Addresses to Access the Palo Alto Network Device” https://live.1.1.4. email@address . it may be possible for anyone on the Internet to attempt device management access. such as the Internet.4. The “Require a security policy denying any/all traffic at the bottom of the security policies ruleset” recommendation in this benchmark can provide additional protection by requiring a security policy specifically allowing device management access. Require minimum password complexity rules Location: Device > Setup > Management > Minimum Password Complexity Recommendation: Minimum Password Complexity – Enabled Minimum Length – 12 Minimum Uppercase Letters – 1 Minimum Lowercase Letters – 1 Minimum Numeric Letters – 1 Author Name. then applied to an outside interface. Minimum Password Requirements 2. In the example above.com/docs/DOC-8042 2. and benchmarks published by the CIS (Center for Internet Security). References: “How to Configure Minimum Password Complexity for User Accounts” https://live.paloaltonetworks.com/docs/DOC-8018 Author Name.Palo Alto Firewall Security Configuration Benchmark 1 2 Minimum Special Characters – 1 Block Username Inclusion (including reversed) – Enabled New Password Differs By Characters – 3 Prevent Password Reuse Limit – 24 Required Password Change Period (days) – 90 Rationale: Password complexity recommendations are derived from the USGCB (United States Government Configuration Baseline). Common Weakness Enumeration. email@address . Windows 7 Content” .org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_ Benchmark_v1.nist. Rationale: Password profiles override recommended settings in the Minimum Password Complexity section. email@address . See the section in this benchmark titled “Require minimum password complexity rules”.html 2.1.2.com/docs/DOC-5177 Author Name.html “The United States Government Configuration Baseline (USGCB) .Palo Alto Firewall Security Configuration Benchmark 1 3 “CIS Microsoft Windows Server 2012 R2 benchmark” https://benchmarks.4.gov/usgcb/microsoft/download_win7.org/data/definitions/255.paloaltonetworks.1.pdf “Common Weakness Enumeration CWE-255: Credentials Management” http://cwe. Forbid the use of password profiles Location: Device > Password Profiles Recommendation: Do not use password profiles.cisecurity.http://usgcb.mitre. References: “Defining Granular Admin Role Profiles” https://live.0. Palo Alto Firewall Security Configuration Benchmark 1 4 “PAN-OS 6.com/docs/DOC-8250 2.302 “How to Change the Admin Session Timeout Value” https://live. This mirrors recommendation 1. References: “CIS Cisco Firewall Benchmark v3.2.cisecurity.1. email@address . Rationale: An unattended computer with an open administrative session to the device could allow an unauthorized user access to the firewall’s management interface. Require an idle timeout value of 10 minutes for device management.com/docs/DOC-5557 Author Name.1 Web Interface Reference Guide (English)” https://live.5.1.1.4 (Require Timeout for Login Sessions) in the CIS Cisco Firewall Benchmark v3.firewall.2” . Location: Device > Setup > Management > Authentication Settings Recommendation: Set the Idle Timeout value for device management to 10 minutes.2.org/enus/?route=downloads.1.paloaltonetworks.paloaltonetworks.form.0.https://benchmarks. Authentication Settings (For Device Management) 2.5.0. email@address . Require an Authentication Profile with Failed Attempts to 3.1. and lockout time of 15 minutes applied to all but one Superuser account.2. Note that any Failed Attempts or Lockout Time settings within the selected Authentication Profile does not apply in the Authentication Settings section. Locations: Device > Setup > Management > Authentication Settings Device > Authentication Profile Recommendation: Do not set Failed Attempts and Lockout Time in the Authentication Settings section. Instead.5. Forbid the use of Authentication Settings for Failed Attempts and Lockout Time. configure an Authentication Profile with lockout settings of 3 Failed Attempts and Lockout Time of 15 minutes.Palo Alto Firewall Security Configuration Benchmark 1 5 2. Author Name. Rationale: Without a lockout limit. such as if a primary administrator account is being continuously locked out. it may be possible for an attacker to continuously lock out all administrative accounts from accessing the device. This account should be monitored. an attacker can continuously guess administrators’ passwords. email@address . and used only in very limited circumstances. with the exception of one Superuser account.Palo Alto Firewall Security Configuration Benchmark 1 6 This authentication profile should be applied to all user accounts. have an extremely secure password. If lockout settings are configured in the Authentication Settings section. Author Name. Rationale: Author Name. SNMP Polling 2. Require SNMP V3 (If SNMP polling is configured) Location: Device > Setup > Operations > Miscellaneous > SNMP Setup Recommendation: For SNMP polling. email@address .1.6.1.6.1.Palo Alto Firewall Security Configuration Benchmark 1 7 2. only SNMP V3 should be used. email@address . message integrity.7. SNMP V2c does not provide these security features. If an SNMP V2c community string is intercepted or otherwise obtained. this option may need to be disabled.1. Note that if an SSL Forward Proxy is configured to intercept the update session. Note that SNMP write access is not possible.paloaltonetworks. References: “How to Setup SNMPv3 Polling” . Author Name.https://live. Device Services 2.paloaltonetworks.com/docs/DOC-4627 2. and device authentication.com/docs/DOC-4037 “Using the Simple Network Management Protocol (SNMP)” https://live.Palo Alto Firewall Security Configuration Benchmark 1 8 SNMP V3 utilizes AES-128 encryption. user authorization.1. Require verification of update server identity Location: Device > Setup > Services > Services Recommendation: Enable the Verify Update Server Identity option.7. an attacker could gain read access to the firewall.1. Palo Alto Firewall Security Configuration Benchmark 1 9 Rationale: While updates are cryptographically signed. email@address . Require redundant NTP services Location: Device > Setup > Services > Services Recommendation: A primary and secondary NTP server should be configured.1. Reference: “PAN-OS Administrator's Guide 6.paloaltonetworks.1 (English)” https://live.2.7.com/docs/DOC-8246 2. verifying the update server identity provides additional protection by ensuring update packages originate from a trusted source. Author Name. troubleshooting. Rationale: NTP enables the device to maintain an accurate time and date when receiving updates from a reliable NTP server. If Symmetric Key is selected. Accurate timestamps are critical when correlating events with other systems.cfm “PAN-OS Administrator's Guide 6. only SHA1 should be used as MD5 is considered severely compromised.com/docs/DOC-8246 Author Name.http://www.nist. Logs and certain cryptographic functions. References: “The NIST Authenticated NTP Service” . authenticated NTP can be utilized. or performing investigative work.paloaltonetworks. email@address . rely on accurate time and date parameters.gov/pml/div688/grp40/authntp. In addition.1 (English)” https://live. rules referencing a Schedule object will not function as intended if the device’s time and date are incorrect. such as those utilizing certificates.Palo Alto Firewall Security Configuration Benchmark 2 0 Enhanced Security Recommendation: For additional security. Exchange server. or syslog data from a variety of devices.General 2. captive portal. Terminal Server. URL Filtering logs: Traffic logs: Author Name.2.1. XML API. To validate if this recommendation has been met. User Identification 2.1. look at the Source User column in the URL Filtering or Traffic logs. User Identification . The specifics of how to achieve IP-to-username mapping is highly dependent on the environment. email@address . User-ID Agent. User traffic originating from a trusted zone should identify a username.Palo Alto Firewall Security Configuration Benchmark 2 1 2. Require IP-to-username mapping for user traffic Locations: Device > User Identification Monitor > Logs > URL Filtering Monitor > Logs > Traffic Logs Recommendation: Configure appropriate settings to map IP addresses to usernames. This is enabled by integrating PAN firewalls with a domain controller.2.1.2. 1 (English)” https://live. References: “Best Practices for Securing User-ID Deployments” https://live.paloaltonetworks. In environments with either short DHCP lease times.com/docs/DOC-6591 “How to Configure Group Mapping settings?” https://live.PAN-OS 5.2. Location: Author Name.paloaltonetworks. Securing User-ID Probing 2.Palo Alto Firewall Security Configuration Benchmark 2 2 Rationale: Understanding which user is involved in a security incident allows appropriate personnel to move quickly between the detection and reaction phases of incident response. Disable WMI probing if not required. 6. the Source User information may be the only way to tie together related data.paloaltonetworks.com/docs/DOC-7912 “User-ID Best Practices . or where users may move frequently between systems.com/docs/DOC-4994 “PAN-OS Administrator's Guide 6.2.2. For forensics tasks when DHCP lease information may not be available. email@address .0. or alert on events based on user accounts or user groups is a tremendous advantage.2.com/docs/DOC-8246 2.paloaltonetworks.1.0” https://live. the ability to analyze or report. Palo Alto Firewall Security Configuration Benchmark 2 3 Device > User Identification > User Mapping > Palo Alto Networks User ID Agent Setup Recommendation: Disable WMI probing if it is not required for User-ID functionality in the environment. References: “R7-2014-16: Palo Alto Networks User-ID Credential Exposure” http://bit.com/docs/DOC-6591 Author Name.PAN-OS 5.0” https://live.paloaltonetworks. such as security log monitoring.0. A malicious user could capture the encrypted password hash for offline cracking or relayed authentication attacks.com/docs/DOC-7912 “User-ID Best Practices . WMI probing requires a domain administrator account. 6. mitigates this risk. Relying on other forms of user identification.ly/1GcbmD4 “Best Practices for Securing User-ID Deployments” https://live. email@address .paloaltonetworks. Rationale: By default. Palo Alto Firewall Security Configuration Benchmark 2 4 2.2.2.2. Forbid User-ID on external and other non-trusted zones Location: Network > Network Profiles > Interface Mgmt Network > Interfaces Recommendation: Only enable the User-ID option for interfaces that are both internal and trusted. Rationale: PAN released a customer advisory in October of 2014 warning of WMI probing on untrusted interfaces with User-ID enabled. This can result in credential theft of the account used in WMI probing. References: “Customer advisory: Security Impact of User-ID Misconfiguration” https://live.paloaltonetworks.com/docs/DOC-8125 “R7-2014-16: Palo Alto Networks User-ID Credential Exposure” http://bit.ly/1GcbmD4 Author Name, email@address Palo Alto Firewall Security Configuration Benchmark 2 5 “Best Practices for Securing User-ID Deployments” https://live.paloaltonetworks.com/docs/DOC-7912 “User-ID Best Practices - PAN-OS 5.0, 6.0” https://live.paloaltonetworks.com/docs/DOC-6591 2.2.2.3. Require the use of User-ID’s Include/Exclude Networks section, if User-ID is enabled. Include only trusted internal networks. Location: Device > User Identification > User Mapping > Include/Exclude Networks Recommendation: If User-ID is configured, use the Include/Exclude Networks section to specify trusted, internal subnets. Rationale: To help ensure only corporate assets are probed, only trusted networks should be included. Note that if an entry appears in the Include/Exclude Networks section, an implicit exclude-all-networks will take effect for all other networks. WMI probes to non-trusted subnets can result in credential theft of the account used in WMI probing. References: Best Practices for Securing User-ID Deployments https://live.paloaltonetworks.com/docs/DOC-7912 Author Name, email@address Palo Alto Firewall Security Configuration Benchmark 2 6 2.2.3. User-ID Agent 2.2.3.1. Require a dedicated service account for User-ID with minimal permissions (If a User-ID Agent or Integrated User-ID Agent is utilized) Locations: Device > User Identification > User Mapping > Server Monitoring Windows Server 2008 or later > Active Directory Users and Computers Recommendations: A) If the integrated (on-device) User-ID Agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Distributed COM Users group, and Domain Users group. B) If the Windows User-ID agent is utilized, the Active Directory account for the agent should only be a member of the Event Log Readers group, Server Operators group, and Domain Users group. Rationale: Author Name, email@address Palo Alto Firewall Security Configuration Benchmark 2 7 As a principle of least privilege, user accounts should have only minimum necessary permissions. If an attacker compromises a User-ID service account with domain admin rights, the organization is at a far greater risk than if the service account were only granted minimum rights. References: “Best Practices for Securing User-ID Deployments” https://live.paloaltonetworks.com/docs/DOC-7912 “User-ID Best Practices - PAN-OS 5.0, 6.0” https://live.paloaltonetworks.com/docs/DOC-6591 “Configure User Mapping Using the Windows User-ID Agent” https://www.paloaltonetworks.com/content/paloaltonetworkscom/global/en_US/index/documentation/61/pan-os/pan-os/section_7/chapter_6.html#95841 “Configure User Mapping Using the PAN-OS Integrated User-ID Agent” https://www.paloaltonetworks.com/content/paloaltonetworkscom/global/en_US/index/documentation/61/pan-os/pan-os/section_7/chapter_7.html#33331 2.2.3.2. Forbid Interactive Login rights for the User-ID service account Location: Windows domain controller Recommendation: Restrict the User-ID service account from interactively logging on to a system in the Active Directory domain. Most commonly, this can be achieved through Active Directory’s Group Policy or Managed Service Accounts functions. Rationale: In the event of a compromised User-ID service account, restricting interactive logins forbids the attacker from utilizing services such as RDP against computers in the Active Author Name, email@address 3. or TeamViewer. Require security policies restricting User-ID Agent traffic from crossing into untrusted zones. Citrix GoToMyPC. References: “Best Practices for Securing User-ID Deployments” https://live.com/docs/DOC-7912 2. restricting the account’s ability to remotely access resources within the organization’s internal network reduces the impact of a service account compromise.4. References: “Best Practices for Securing User-ID Deployments” https://live.paloaltonetworks. Remote services that integrate authentication with the organization’s Active Directory may unintentionally allow the User-ID service account to gain remote access. or TeamViewer Recommendation: Restrict the User-ID service account’s ability to gain remote access into the organization.2. Locations: Author Name. This reduces the impact of a User-ID service account compromise.paloaltonetworks.3. Rationale: In the event of a compromised User-ID service account. email@address . This capability could be made available through a variety of technologies. Location: Remote access systems. Forbid all remote access capabilities for the User-ID service account. Citrix GoToMyPC. such as VPN.2.Palo Alto Firewall Security Configuration Benchmark 2 8 Directory domain of the organization. such as VPN.3.com/docs/DOC-7912 2. Palo Alto Firewall Security Configuration Benchmark 2 9 Device > Setup > Services > Services Features > Service Route Configuration Policies > Security Recommendation: Create security policies to deny msrpc traffic originating from the interface configured for the UID Agent service and destined to all untrusted zones. The firewall’s management interface is used by the UID Agent service by default. email@address . Author Name. Palo Alto Firewall Security Configuration Benchmark 3 0 (Address object created for the UID Agent’s IP address) Rationale: WMI probes to non-trusted subnets can result in credential theft of the account used in WMI probing.com/docs/DOC-7912 “MSRPC traffic to unknown IP addresses on Internet originating from the Management interface” . References: “Best Practices for Securing User-ID Deployments” https://live.3. High Availability 2. Require a fully-synchronized High Availability peer Location: Dashboard > Widgets > System > High Availability Recommendation: Ensure a High Availability peer is fully synchronized and in a passive or active state.1.3.com/docs/DOC-8690 2.paloaltonetworks. To help ensure only corporate assets are probed.1.paloaltonetworks. Author Name.https://live. email@address . msrpc traffic originating from the firewall to untrusted networks should be explicitly denied. This security policy should be in effect even for environments not currently using WMI probing to help guard against possible future probe misconfigurations. Palo Alto Firewall Security Configuration Benchmark 3 1 Rationale: To ensure availability of both the firewall and the resources it protects. In the event a single firewall fails. or when maintenance such as a software update is required. or both Location: Device > High Availability > Link and Path Monitoring Recommendation: Configure Link Monitoring and/or Path Monitoring under High Availability options.3.paloaltonetworks. the HA peer can be used to automatically fail over session states and maintain overall availability.2. For High Availability. all links critical to traffic flow should be monitored. Path Monitoring. a High Availability peer is required.1 (English)” https://live. require Link Monitoring. If Link Monitoring is utilized. Reference: “PAN-OS Administrator's Guide 6.com/docs/DOC-8246 2. email@address . Author Name.1. Forbid simultaneously enabling the Preemptive option. References: “PAN-OS Administrator's Guide 6.1 (English)” https://live. the standby router will not automatically take over as active if a critical link fails on the active firewall. and configuring the Passive Link State to shutdown simultaneously. Services through the firewall could become unavailable as a result.3.com/docs/DOC-8246 2.3.paloaltonetworks. (For an HA pair) Location: Device > High Availability > Active/Passive Settings Device > High Availability > Election Settings Recommendation: Author Name.Palo Alto Firewall Security Configuration Benchmark 3 2 Rationale: If link or path monitoring is not enabled. email@address .1. or uncheck the Preemptive option.1.1.4.4. Require the Antivirus Update Schedule is set to Download and Install hourly. Location: Device > Dynamic Updates Recommendation: Set the Antivirus Update Schedule to Download and Install hourly. This will negatively impact the availability of the firewall and network services. Scheduled Downloads 2. Rationale: If the firewall is set both to preempt and to shut down the links on the passive firewall. Author Name.1 (English)” https://live.paloaltonetworks. Dynamic Updates 2. References: “PAN-OS Administrator's Guide 6. a preemption loop could occur if Link and Path Monitoring is configured.1.com/docs/DOC-8246 2. should a monitored failure occur. It is preferred to disable preemption and set the Passive Link State to auto.Palo Alto Firewall Security Configuration Benchmark 3 3 Either set the Passive Link State to shutdown.4. email@address . With an hourly update schedule. A daily update schedule could leave an organization vulnerable to a known virus for nearly 24 hours. Rationale: New antivirus definitions may be released at any time.paloaltonetworks.4.com/docs/DOC-8246 2.com/docs/DOC1578 “PAN-OS Administrator's Guide 6.https://live. References: “Tips for Managing Content Updates” . in a worse-case scenario.2. the firewall can ensure threats with new definitions are quickly mitigated.paloaltonetworks. email@address .Palo Alto Firewall Security Configuration Benchmark 3 4 The threshold value is highly contingent on the organization. Require the Applications and Threats Update Schedule is set to Download and Install Daily.1.1 (English)” https://live. a longer threshold value provides time for PAN to correct the faulty definition. Location: Device > Dynamic Updates Author Name. In the event of an error in the antivirus definitions. Setting an appropriate threshold value reduces the risk of a bad definition file negatively affecting traffic. A shorter threshold time provides more up-to-date antivirus definitions. paloaltonetworks. A shorter threshold time provides a more up-to-date Applications and Threats version.Palo Alto Firewall Security Configuration Benchmark 3 5 Recommendation: Set the Applications and Threats Update Schedule to Download and Install daily. References: “Tips for Managing Content Updates” .com/docs/DOC-8246 Author Name. and the latest application signatures are applied. In the event of an error in an Applications and Threats version. a longer threshold value provides time for PAN to correct the faulty version. With a daily update schedule.paloaltonetworks. Setting an appropriate threshold value reduces the risk of a bad Applications and Threats file version from negatively affecting traffic.1 (English)” https://live. the firewall can ensure threats with new signatures are quickly mitigated. email@address .https://live. Rationale: New Applications and Threats file versions may be released at any time. The threshold value is highly contingent on the organization.com/docs/DOC1578 “PAN-OS Administrator's Guide 6. com/docs/DOC1578 “PAN-OS Administrator's Guide 6. active threats to the environment.4. Require the WildFire Update Schedule is set to Download and Install every 15 minutes.1.com/docs/DOC-3252 “Tips for Managing Content Updates” . email@address .1 (English)” https://live.3.paloaltonetworks. References: “WildFire Administrator's Guide 6.paloaltonetworks. Location: Device > Dynamic Updates Recommendation: Set the WildFire Update Schedule to Download and Install every 15 minutes. With a 15 minute update schedule.1 (English)” https://live.Palo Alto Firewall Security Configuration Benchmark 3 6 2.com/docs/DOC-8251 “How to Configure WildFire” .https://live. Rationale: WildFire definitions may contain signatures to block immediate.https://live.paloaltonetworks.com/docs/DOC-8246 Author Name.paloaltonetworks. the firewall can ensure threats with new definitions are quickly mitigated. com/docs/DOC-8251 “How to Configure WildFire” . WildFire General Settings 2. email@address . WildFire 2.Palo Alto Firewall Security Configuration Benchmark 3 7 2.1.1.paloaltonetworks.paloaltonetworks.5. Devices without a WildFire license will only forward PE (Portable Executable) files for WildFire analysis. An organization with bandwidth constraints or heavy usage of unique files under a supported file type may require lower settings. References: “WildFire Administrator's Guide 6. This increases the chances of identifying.5.1.1 (English)” https://live. Rationale: Increasing file size limits will allow the device to forward more files for WildFire analysis than default settings.https://live. and later preventing.5. threats in larger files.com/docs/DOC-3252 Author Name. Increase WildFire file size upload limits Location: Device > Setup > Wildfire > General Settings Recommendation: Increase WildFire file size limits to the maximum supported by the environment. Palo Alto Firewall Security Configuration Benchmark 3 8 2. seven file types are supported.5.2.com/docs/DOC-8251 “How to Configure WildFire” . while only PE (Portable Executable) files are supported without a license.5. Locations: Objects > Security Profiles > File Blocking Author Name. References: “WildFire Administrator's Guide 6. Require a WildFire File Blocking profile for all security policies allowing Internet traffic flows. email@address . any file type.paloaltonetworks. WildFire configuration 2.2.5. and action set to forward Location: Objects > Security Profiles > File Blocking Recommendation: Set Applications and File Types fields to any in WildFire File Blocking profiles.https://live.paloaltonetworks.2.1. Require WildFire File Blocking profiles to include any application. With a WildFire license. Rationale: Selecting any application and file type ensures WildFire is analyzing as many files as possible.com/docs/DOC-3252 2.2.1 (English)” https://live. paloaltonetworks. In the following example.1 (English)” https://live.com/docs/DOC-8251 2.3. References: “WildFire Administrator's Guide 6. Rationale: Traffic matching security policies that do not include a WildFire file blocking profile will not utilize WildFire for file analysis. the “WildFire” blocking profile is included in the “Inside to Outside” profile group.Palo Alto Firewall Security Configuration Benchmark 3 9 Policies > Security Recommendation: Apply a WildFire file blocking profile to all security policies allowing Internet traffic flows.5. email@address . Require forwarding of decrypted content Location: Device > Setup > Content-ID > Content-ID Settings Recommendation: Author Name.2. Allow forwarding of decrypted content.com/docs/DOC-6845 “WildFire Administrator's Guide 6. Author Name.paloaltonetworks. Rationale: As encrypted Internet traffic continues to proliferate.2. WildFire can only provide analysis if 1) the session is decrypted by the firewall and 2) Allow forwarding of decrypted content is enabled. Note that SSL Forward-Proxy must also be configured for this setting to take effect on inside-to-outside traffic flows.5.4.Palo Alto Firewall Security Configuration Benchmark 4 0 Allow the firewall to forward decrypted content to WildFire by enabling the setting. For example.paloaltonetworks.com/docs/DOC-8251 2. all options should be enabled. WildFire’s ability to help protect an environment becomes less effective unless it is allowed to act on decrypted content. Require all WildFire Session Information Settings to be enabled Location: Device > Setup > WildFire > Session Information Settings Recommendation: Under Session Information Settings. if a user downloads a malicious pdf over SSL. email@address . References: “WildFire Fails Forwarding File to Cloud for Encrypted Traffic” https://live.1 (English)” https://live. 5.1 (English)” https://live.5.Palo Alto Firewall Security Configuration Benchmark 4 1 Rationale: Permitting the firewall to send this information to WildFire creates more detailed reports. WildFire alerting and verification 2.3. thereby making the process of tracking down potentially infected devices quicker and more efficient.paloaltonetworks. References: “WildFire Administrator's Guide 6.com/docs/DOC-8251 2.1.3. This quicker reaction time could prevent an infected system from otherwise further infecting the environment. Environments with security policies restricting sending this data to the WildFire cloud can instead utilize an on-premises WildFire appliance. email@address . Require sending an alert for malware detected through WildFire Location: Objects > Log Forwarding Author Name. or instead of.paloaltonetworks. In addition. and cannot be modified. Rationale: WildFire analyzes files that have already been downloaded and possibly executed. In addition.Palo Alto Firewall Security Configuration Benchmark 4 2 https://wildfire.com/ Recommendation: Configure WildFire to send an alert when a malicious file is detected. SNMP traps or syslog messages could be used instead. configure the WildFire cloud to email alerts for malicious files. email@address . so long as an appropriate member of the IT staff is quickly made aware of the malicious file. A WildFire verdict of malicious indicates that a computer could already be infected. New systems added to the WildFire portal will not be automatically set to email alerts. Note that the destination email address of alerts configured in the WildFire portal is tied to the logged in account. because WildFire only analyzes files it has not already seen and not flagged by the firewall’s Author Name. an email will be sent upon detection of a malicious file. In the following example. run the command “show wildfire status”.5.3.paloaltonetworks.com/docs/DOC-8251 2. email@address . files deemed malicious by WildFire are more likely to evade desktop antivirus products.2. Verify WildFire file submission and alerting is functioning as expected Location: CLI https://wildfire. Author Name. References: “WildFire Email Alerts: Subscribe or Add Additional Recipients” https://live.com/docs/DOC-7740 “WildFire Administrator's Guide 6. The command “show wildfire statistics” should also display counter values appropriate to the environment.paloaltonetworks. the Device registered field should display yes and Status set to Idle.Palo Alto Firewall Security Configuration Benchmark 4 3 antivirus filter.paloaltonetworks.com/wildfire/dashboard Recommendation: From the command line. At minimum.1 (English)” https://live. email@address . Author Name. PAN provides a unique fake malicious file. the WildFire dashboard will display activity up to the last 24 hours. triggering an upload and analysis.paloaltonetworks.com/wildfire/dashboard) Benign files will only appear if the setting is enabled under Device > Setup > WildFire. which can be downloaded here: http://wildfire.Palo Alto Firewall Security Configuration Benchmark 4 4 In addition. additional steps should be taken to verify it is functioning as expected. (https://wildfire. As a final end-to-end test.com/publicapi/test/pe This file should be seen as an unknown executable to WildFire. Rationale: Although an administrator may believe WildFire is configured properly. the configured alert should fire.paloaltonetworks. Once WildFire determines the file is malicious. Security Profiles 2. email@address .com/docs/DOC-7321 “WildFire Administrator's Guide 6.1. Testing and Monitoring” https://live.Palo Alto Firewall Security Configuration Benchmark 4 5 References: “Wildfire Configuration.1 (English)” https://live.6.paloaltonetworks. Require an Antivirus profile configured to block on all decoders except imap and pop3.1. Author Name. Configure imap and pop3 decoders to alert under both Action and WildFire Action.paloaltonetworks.com/docs/DOC-8251 2.6. Antivirus 2.com/docs/DOC-2670 “How to Test WildFire with a Fake Malicious File” https://live.com/docs/DOC-3300 “How to Check the Connectivity to Wildfire and Upload Status of Files” https://live.1.6.paloaltonetworks. Location: Objects > Security Profiles > Antivirus Recommendation: Configure at least one Antivirus profile to a value of block for all decoders except imap and pop3 under both Action and WildFire Action.paloaltonetworks. com/docs/DOC-3094 2. the firewall is not able to block only a single email message containing malware. email@address . References: “Threat Prevention Deployment Tech Note” https://live. It is recommended to mitigate viruses found in pop3 and imap through a dedicated antivirus gateway.1. Locations: Author Name.6. Instead.paloaltonetworks. the threat of virus propagation through the firewall is greatly reduced. Due to the nature of the pop3 and imap protocols. the entire session would be terminated.2. Require a securely configured Antivirus profile applied to all applicable security policies.Palo Alto Firewall Security Configuration Benchmark 4 6 Rationale: Antivirus signatures produce low false positives. By blocking any detected virus through the specified decoders. potentially affecting benign email messages. ftp. smtp. or smb traffic. and apply it to all security policies that could pass http. the threat of virus propagation through the firewall is greatly reduced. pop3.Palo Alto Firewall Security Configuration Benchmark 4 7 Objects > Security Profiles > Antivirus Policies > Security Recommendation: Create an Antivirus profile in accordance with this benchmark. imap. Rationale: By applying a secure Antivirus profile to all applicable traffic. The Antivirus profile may be applied directly or through a profile group. References: Author Name. email@address . Palo Alto Firewall Security Configuration Benchmark 4 8 “Threat Prevention Deployment Tech Note” https://live.6.6. configure it to block on any severity level. Author Name. and threats. and any threat. any category. categories.1.2.paloaltonetworks.com/docs/DOC-3094 2.2. Anti-Spyware 2. email@address . Location: Objects > Security Profiles > Anti-Spyware Recommendations: A) If a single rule exists within the Anti-Spyware Profile. Require an Anti-Spyware profile configured to block on all severity levels. Palo Alto Firewall Security Configuration Benchmark 4 9 B) If multiple rules exist within the Anti-Spyware profile. ensure any category. email@address . and all severity levels are set to Block. Author Name. Additional rules may exist for packet capture or exclusion purposes. any threat. Palo Alto Firewall Security Configuration Benchmark 5 0 Rationale: Requiring a blocking policy for all spyware threats. categories. References: Author Name. email@address . and severities reduces the risk of malware and spyware traffic from successfully exiting the organization. 6. while the truly infected device remains unidentified. Without Sinkholing. Any device attempting to communicate with the DNS Sinkhole IP address should be considered infected. the DNS server itself may be seen as infected. email@address . References: Author Name. Rationale: DNS Sinkholing helps to identify infected clients by spoofing DNS responses for malware domain queries.Palo Alto Firewall Security Configuration Benchmark 5 1 “Threat Prevention Deployment Tech Note” https://live. All internal requests to the selected Sinkhole IP address must traverse the firewall.2. Location: Objects > Security Profiles > Anti-Spyware Recommendation: Configure DNS Sinkholing for all Anti-spyware profiles in use.2. Require DNS Sinkholing on all Anti-spyware profiles in use.paloaltonetworks.com/docs/DOC-3094 2. paloaltonetworks.paloaltonetworks.com/docs/DOC-3094 “PAN-OS Administrator's Guide 6.3. Location: Objects > Security Profiles > Anti-Spyware Policies > Security Recommendation: Enable Passive DNS Monitoring within all Anti-Spyware profiles in use.1 (English)” https://live.paloaltonetworks. email@address .2.com/docs/DOC-6628 “Threat Prevention Deployment Tech Note” https://live. Author Name.6. Require Passive DNS Monitoring enabled on all Anti-Spyware profiles in use.Palo Alto Firewall Security Configuration Benchmark 5 2 “How to Deal with Conficker using DNS Sinkhole” https://live.com/docs/DOC-8246 2. Palo Alto Firewall Security Configuration Benchmark 5 3 Rationale: Enabling Passive DNS Monitoring improves PAN’s threat prevention and threat intelligence capabilities. Require a securely configured Anti-Spyware profile applied to all security policies permitting traffic to the Internet. This is performed without source information delivered to PAN to ensure sensitive DNS information of the organization is not compromised. should be applied to all security policies permitting traffic to the Internet. The Anti-Spyware profile may be applied directly or through a profile group.com/docs/DOC-7256 “PAN-OS Administrator's Guide 6.2. Author Name.paloaltonetworks. References: “What Information is Submitted to the Palo Alto Networks when Enabling the Passive DNS Feature” .paloaltonetworks.https://live.4. the threat of sensitive data exfiltration or command-and-control traffic successfully passing through the firewall is greatly reduced.1 (English)” https://live.6.com/docs/DOC-8246 2. Rationale: By applying a secure Anti-Spyware profile to all applicable traffic. therefore. Anti-Spyware profiles are not restricted to particular protocols like Antivirus profiles. and apply it to all security policies permitting traffic to the Internet. email@address . Locations: Objects > Security Profiles > Anti-Spyware Policies > Security Recommendation: Create an Anti-Spyware profile in accordance with this benchmark. email@address .paloaltonetworks. and informational vulnerabilities.6. and set to default on any medium.3. Configuring an alert action for low and informational.6.Palo Alto Firewall Security Configuration Benchmark 5 4 References: “Threat Prevention Deployment Tech Note” https://live. or blocking network attacks. will produce additional information at the expense of greater log utilization. low. Location: Objects > Security Profiles > Vulnerability Protection Recommendation: Configure a Vulnerability Protection Profile set to block any critical or high threats. References: “Threat Prevention Deployment Tech Note” https://live. instead of default. Rationale: A Vulnerability Protection Profile helps to protect assets by alerting on. Require a Vulnerability Protection profile configured to block at least high and critical vulnerabilities.1 (English)” https://live.3.com/docs/DOC-3094 “PAN-OS Administrator's Guide 6.paloaltonetworks.com/docs/DOC-8246 Author Name. low.paloaltonetworks. The default action on many critical and high threats are configured to only alert on the attack. Vulnerability Protection 2. at minimum. or informational threats. and set to default on medium.com/docs/DOC-3094 2.1. com/docs/DOC-8246 Author Name. apply a securely configured vulnerability profile. Rationale: A Vulnerability Protection Profile helps to protect assets by alerting on. or blocking network attacks. Note that encrypted sessions do not allow for complete inspection. as outlined by PAN’s “Threat Prevention Deployment Tech Note” found in the references section of this rule. References: “Threat Prevention Deployment Tech Note” https://live.com/docs/DOC-3094 “PAN-OS Administrator's Guide 6. Require a securely configured Vulnerability Protection Profile applied to all security policies allowing traffic.3.2. This benchmark provides recommendations on configuring a secure vulnerability profile.6.Palo Alto Firewall Security Configuration Benchmark 5 5 2.paloaltonetworks. By applying a secure vulnerability protection profile to all security rules permitting traffic.1 (English)” https://live. all network traffic traversing the firewall will be inspected for attack. Careful analysis of the target environment should be performed before implementing this configuration.paloaltonetworks. Location: Policies > Security Recommendation: For any security rule allowing traffic. email@address . 4.1 (English)” https://live.2.6. phishing.6.Palo Alto Firewall Security Configuration Benchmark 5 6 2. Rationale: URL Filtering provides protection against malicious URLs and IP addresses.com/docs/DOC-8246 2.1. Require the use of PAN-DB URL Filtering Location: Device > Licenses Recommendation: Configure the device to use PAN-DB URL Filtering. as well as protection against websites posing a liability risk.paloaltonetworks. References: “PAN-OS Administrator's Guide 6.4. proxyavoidance-and-anonymizers Location: Objects > Security Profiles > URL Filtering Author Name. such as pornography.6. Require a URL Filtering profile with the action of “block” or “override” on the following categories: adult. URL Filtering 2. malware. hacking. email@address .4. PAN-DB URL Filtering offers additional malware protection and PAN threat intelligence not available in the BrightCloud URL Filtering license. blocking or requiring an override on the following categories represents a minimum baseline: adult. References: “PAN-OS Administrator's Guide 6. hacking.com/docs/DOC-8246 2. email@address .1 (English)” https://live.6. Location: Author Name. and which to allow. deciding which URL categories to block. phishing.4. Users visiting websites in these categories. is a joint effort between IT and another entity of authority within an organization—such as the legal department or administration. are at greater risk of compromising the security of their system. malware. hacking. phishing. such malware. Rationale: Certain URL categories pose a technology-centric threat. For most organizations. such as adult. Forbid a utilized URL Filtering profile with any category set to “allow”.Palo Alto Firewall Security Configuration Benchmark 5 7 Recommendation: Ideally. Other categories. may pose a legal liability.paloaltonetworks. and proxy-avoidance-and-anonymizers. proxy-avoidanceand-anonymizers. many times unintentionally.3. 4.paloaltonetworks. Author Name.Palo Alto Firewall Security Configuration Benchmark 5 8 Objects > Security Profiles > URL Filtering Recommendation: Do not set a URL category action to allow for any category. regardless of category. Require all HTTP Header Logging options enabled Location: Objects > Security Profiles > URL Filtering > URL Filtering Profile > Settings Recommendation: Enable User-Agent.com/docs/DOC-8246 2. For forensic purposes. Rationale: For URL categories. it is advisable to log access to every URL. and X-Forwarded-For options under HTTP Header Logging. Referer.6. email@address . the “allow” setting will not produce a log entry in the URL Filtering logs.1 (English)” https://live. References: “PAN-OS Administrator's Guide 6.4. a URL filter log entry showing details of a malicious file download may not exist. The Referer option logs the source webpage responsible for referring the user to the logged webpage. which could provide insight to the vector used for malware retrieval. If this option remains checked. Rationale: Logging HTTP Header information provides additional information in the URL logs. email@address . such as if a user traverses a proxy server prior to the firewall. References: “PAN-OS Administrator's Guide 6. The User-Agent option logs which browser was used during the web session.1 (English)” https://live. with the expense of producing far more entries in the URL logs.Palo Alto Firewall Security Configuration Benchmark 5 9 Enhanced Security Recommendation: Uncheck the Log container page only option. which may be useful during forensic investigations.paloaltonetworks. Unchecking the Log container page only box produces substantially more information about web activity.com/docs/DOC-8246 Author Name. The X-Forwarded-For option is useful for preserving the user’s source IP address. Reference: “PAN-OS Administrator's Guide 6. Require a securely configured URL Filtering profile applied to all security policies allowing traffic to the Internet.Palo Alto Firewall Security Configuration Benchmark 6 0 2.com/docs/DOC-8246 2.4.5.6. Data Filtering 2.5. The URL Filtering profile may be applied directly or through a profile group.paloaltonetworks. Locations: Policies > Security Objects > Security Profiles > URL Filtering Recommendation: Create a URL Filtering profile in accordance with this benchmark. Require a Data Filtering policy set to alert after a threshold of Credit Card or Social Security numbers are detected. and apply it to all security policies permitting traffic to the Internet. email@address .6. Location: Objects > Security Profiles > Data Filtering Recommendation: Author Name. Rationale: URL Filtering policies dramatically reduce the risk of users visiting malicious or inappropriate websites.1.1 (English)” https://live.5. a complete URL history log for all devices is invaluable when performing forensic analysis in the event of a security incident. In addition.6. 10 SSN# . careful tuning is also recommended.Palo Alto Firewall Security Configuration Benchmark 6 1 This guideline is highly specific to an organization. email@address . While blocking of Credit Card or Social Security numbers will not occur with the recommended settings below.20 SSN# (without dash) – 1 Apply this Data Pattern to a Data Filtering policy with the following values: Applications – any File Types – any Direction – both Alert Threshold – 20 Block Threshold – 0 Author Name. Configure a Data Pattern with the following values: CC# . email@address . and should never traverse an organization’s Internet connection in clear text.5. Require a securely configured Data Filtering profile applied to all security policies allowing traffic to or from the Internet. Passing sensitive data within an organization should also be avoided whenever possible.com/docs/DOC-2513 “PAN-OS Administrator's Guide 6. Location: Objects > Security Profiles > Data Filtering Author Name. References: “What are the Data Filtering Best Practices?” https://live.1 (English)” https://live.2.paloaltonetworks.com/docs/DOC-8246 2.paloaltonetworks.6.Palo Alto Firewall Security Configuration Benchmark 6 2 Rationale: Credit Card and Social Security numbers are sensitive. Palo Alto Firewall Security Configuration Benchmark 6 3 Policies > Security Recommendation: Create a Data Filtering profile in accordance with this benchmark. Rationale: Credit Card and Social Security numbers are sensitive. Reference: Author Name. and should never traverse an organization’s Internet connection in clear text. and apply it to all security policies permitting traffic to or from the Internet. email@address . Passing sensitive data within an organization should also be avoided whenever possible. The Data Filtering profile may be applied directly or through a profile group. Require a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies attached to all untrusted zones. Location: Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection Network > Zones Recommendation: The Alert.000 CPS PA-7050 = 720.6.000 CPS Author Name.000 CPS PA-5000 series = 120. email@address .Palo Alto Firewall Security Configuration Benchmark 6 4 “PAN-OS Administrator's Guide 6. Traffic analysis should be performed on the specific environment and firewall to determine accurate thresholds. The following is a list of new sessions per second maximum for each platform: PA-200 = 1. Activate. Zone Protection profiles 2.000 CPS PA-3000 series = 50.6. an Activate value of 50% of the firewall’s maximum “New sessions per second”/CPS is a conservative setting. As a rough ballpark for most environments.6.1 (English)” https://live.1.000 CPS PA-500 = 7.500 CPS PA-2000 series = 15.paloaltonetworks.com/docs/DOC-8246 2.6. and Maximum settings for SYN Flood Protection depend highly on the environment and device used. however.Palo Alto Firewall Security Configuration Benchmark 6 5 Rationale: Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. SYN Cookies are preferred over Random Early Drop.com/docs/DOC-1542 “How to Determine if Configured DoS Classify TCP SYN Cookie Alarm.https://live.paloaltonetworks.https://live. Firewalls alone cannot mitigate all DoS attacks.com/docs/DOC-6801 “Threat Prevention Deployment Tech Note” https://live.paloaltonetworks.com/docs/DOC-3094 Author Name. many attacks can be successfully mitigated.com/docs/DOC-5078 "Syn Cookie Operation” . Utilizing SYN Cookies helps to mitigate SYN flood attacks.https://live. where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions.paloaltonetworks. Activate and Maximal Rate is Triggered” .paloaltonetworks. References: “Understanding DoS Protection” . email@address . com/docs/DOC-7158 2. Require a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types attached to all untrusted zones.2. Activate. The Alert. Do not rely on default values to be appropriate for an environment.com/docs/DOC-4501 “Application DDoS Mitigation” .6. Author Name.6. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds.paloaltonetworks. Location: Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection Network > Zones Recommendation: Enable all Flood Protection options in the Zone Profile attached to untrusted zones.paloaltonetworks.Palo Alto Firewall Security Configuration Benchmark 6 6 “What are the Differences between DoS Protection and Zone Protection?” https://live. and Maximum settings for Flood Protection depend highly on the environment and device used. email@address .https://live. Separate Zone Protection profiles for trusted and untrusted zones is a best practice. email@address .com/docs/DOC-3094 “What are the Differences between DoS Protection and Zone Protection?” https://live. rather it provides a layer of protection. to overwhelm network resources. The exact interval and threshold values must be tuned to the specific environment. Location: Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection Network > Zones Recommendation: Enable all three scan options in a Zone Protection profile.paloaltonetworks.com/docs/DOC-5078 “Threat Prevention Deployment Tech Note” https://live. Flood protection does not completely eliminate this risk.6. Attach appropriate Zone Protection profiles meeting this criteria to all zones.com/docs/DOC-4501 2.Palo Alto Firewall Security Configuration Benchmark 6 7 Rationale: Without flood protection. through the use of a botnet or other means. Less aggressive settings are typically appropriate for trusted zones. Author Name.3. Require all zones have Zone Protection Profiles with all Reconnaissance Protection settings tuned and enabled. and NOT set to allow for any scan type. it may be possible for an attacker.paloaltonetworks.paloaltonetworks.6. Do not configure an action of Allow for any scan type. References: “Understanding DoS Protection” .https://live. such as setting an action of alert for all scan types. com/docs/DOC-5078 “Threat Prevention Deployment Tech Note” https://live.https://live. email@address .com/docs/DOC-4501 “PAN-OS Administrator's Guide 6. References: “Host Sweep Triggering Method in Zone Protection Profile” https://live.1 (English)” https://live.Palo Alto Firewall Security Configuration Benchmark 6 8 Rationale: Port scans and host sweeps are common in the reconnaissance phase of an attack.com/docs/DOC-8246 Author Name.paloaltonetworks.paloaltonetworks.paloaltonetworks. Bots scouring the Internet in search of a vulnerable target may also scan for open ports and available hosts. Reconnaissance Protection will allow for these attacks to be either alerted on.paloaltonetworks.paloaltonetworks. or blocked altogether.com/docs/DOC-3094 “What are the Differences between DoS Protection and Zone Protection?” https://live.com/docs/DOC-8703 “Understanding DoS Protection” . mismatched overlapping TCP segment. Malformed. and Loose Source Routing IP options.6. Malformed.Palo Alto Firewall Security Configuration Benchmark 6 9 2. and Loose Source Routing IP options Author Name. mismatched overlapping TCP segment.6. Strict Source Routing. Location: Network > Network Profiles > Zone Protection > Zone Protection Profile > Packet Based Attack Protection > TCP/IP Drop Network > Zones Recommendation: For all zones. Require all zones have Zone Protection Profiles that drop Spoofed IP address. email@address . Strict Source Routing.4. attach a Zone Protection Profile that is configured to drop Spoofed IP address. paloaltonetworks.Palo Alto Firewall Security Configuration Benchmark 7 0 Rationale: Using specially crafted packets. such as a DMZ segment. References: “Understanding DoS Protection” .com/docs/DOC-4501 “PAN-OS Administrator's Guide 6.7. Security Policies .7. such as the Internet or guest network. an attacker may attempt to evade or diminish the effectiveness of network security devices. Location: Policies > Security Recommendation: When permitting traffic from an untrusted zone. email@address .paloaltonetworks.1 (English)” https://live.1. create security policies specifying which specific Author Name.7.General 2.https://live.1.paloaltonetworks.com/docs/DOC-5078 “Threat Prevention Deployment Tech Note” https://live.paloaltonetworks.1. Enabling the options in this recommendation lowers the risk of these attacks. Security Policies 2.com/docs/DOC-3094 “What are the Differences between DoS Protection and Zone Protection?” https://live. Require specific application policies when allowing traffic from an untrusted zone to a more trusted zone.com/docs/DOC-8246 2. to a more trusted zone. Forbid using the Service setting of any in a security policy. Location: Policies > Security Recommendation: Create security policies specifying application-default for the Service setting. Rationale: To avoid unintentionally exposing systems and services. Enhanced Security Recommendation: Require specific application policies when allowing any traffic. further tighten what traffic is allowed to pass.1. and may also not be possible in all environments.com/docs/DOC-8246 2. as opposed to service/port rules. or the specific ports desired.paloaltonetworks.1 (English)” https://live. This may require SSL interception. email@address .7. The Service setting of any should not be used. References: “PAN-OS Administrator's Guide 6. Rationale: Author Name.Palo Alto Firewall Security Configuration Benchmark 7 1 applications are allowed.2. rules allowing traffic from untrusted zones to trusted zones should be as specific as possible. regardless of the trust level of a zone. Application-based rules. SEE THE “REFERENCES” SECTION FOR MORE INFORMATION.https://live.1 (English)” https://live. Ensure this policy is set to log at session end. In addition.com/docs/DOC-8246 2.paloaltonetworks.1. References: “Security Policy Guidelines” . AS CERTAIN TRAFFIC PERMITTED BY DEFAULT WILL BE DENIED UNLESS SPECIFICALLY ALLOWED.paloaltonetworks. or application. Due to this behavior. just before pre-defined intrazone-default and interzone-default rules.com/docs/DOC-3469 “Security Bulletin: App-ID Cache Pollution” https://live. regardless of source. email@address .3. even when an application is defined in a security policy.Palo Alto Firewall Security Configuration Benchmark 7 2 App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. destination. Require a security policy denying any/all traffic at the bottom of the security policies ruleset. Create a security rule at the bottom of the security policies ruleset denying any traffic. a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone.paloaltonetworks. this recommendation helps to avoid an App-ID cache pollution attack. Author Name.com/docs/DOC-4315 “PAN-OS Administrator's Guide 6.7. Location: Policies > Security Recommendation: EXTREME CAUTION MUST BE USED BEFORE IMPLEMENTING THIS RECOMMENDATION. to acquire visibility to denied traffic. Require an SSL Forward Proxy policy for traffic destined to the Internet for all URL categories except financial-services and health-andmedicine.1. security investigations.com/docs/DOC-8114 “Security Policy Guidelines” . SSL Forward Proxy 2.1. general security analysis.paloaltonetworks. a “deny and log” policy must be created at the end of the security policy ruleset. email@address . Therefore.paloaltonetworks.com/docs/DOC-3469 2. Location: Policies > Decryption Recommendation: Author Name.8.8. References: “Dynamic Protocols on Palo Alto Networks Devices that Do Not Require Security Policies to Operate” . Viewing denied traffic can be extremely useful for understanding how security policies are affecting traffic.Palo Alto Firewall Security Configuration Benchmark 7 3 Rationale: Palo Alto firewalls do not log denied traffic by default. or a host of additional use cases.1.8.https://live.https://live. Decryption 2. and legitimate websites using SSL encryption are hacked or tricked into delivering malware on a frequent basis.8. Include all categories except financial-services and health-and-medicine. Require SSL Inbound Inspection for all untrusted traffic destined for servers using SSL. Location: Policies > Decryption Recommendation: Author Name. Rationale: Without SSL inspection. the firewall cannot apply many of its protection features against encrypted traffic. References: “How to Implement SSL Decryption” .1.paloaltonetworks.2.https://live. As encryption on the Internet continues to grow at a rapid rate.paloaltonetworks.8. email@address .Palo Alto Firewall Security Configuration Benchmark 7 4 Configure SSL Forward Proxy for all traffic destined to the Internet.com/docs/DOC1412 “PAN-OS Administrator's Guide 6. SSL inspection is no longer optional as a practical security measure. SSL Inbound Inspection 2.com/docs/DOC-8246 2.2.1 (English)” https://live. The amount of encrypted malware traffic continues to rise. Palo Alto Firewall Security Configuration Benchmark 7 5 Configure SSL Inbound Inspection for all untrusted traffic destined for servers using SSL.https://live. email@address .paloaltonetworks.paloaltonetworks. Rationale: Without SSL Inbound Inspection. References: “How to Implement SSL Decryption” .com/docs/DOC-8246 Author Name. the firewall is not able to protect SSL-enabled webservers against many threats.1 (English)” https://live.com/docs/DOC1412 “PAN-OS Administrator's Guide 6. 2.2.1.3.3.1. 2.2.1. 2.1. 2. 2.1.2.1.1. 2.3. Require minimum password complexity rules Forbid the use of password profiles Require an idle timeout value of 10 minutes for device management.1.1.2. HTTP. 2.2. 2.6.1. 2.4. No.1.2. Other) 6 6 7 8 9 10 11 13 14 15 17 18 19 20 20 22 .7.2.1. or SNMP is enabled to permit only IP addresses necessary for device management.7.1.1. 2.4.2. 2. Page Objective Met? (Yes.1. Forbid the use of Authentication Settings for Failed Attempts and Lockout Time.1. and lockout time of 15 minutes applied to all but one Superuser account. 2. Partial.1.5.3.1. Audit checklist Section Recommendation 2.5. 2. Require all interface management profiles where telnet. Device Setup Require an appropriate login banner Enable Log on High DP Load Forbid HTTP and telnet services for device management Limit Permitted IP Addresses to those necessary for device management.1.1.3. HTTPS.1. Require SNMP V3 (If SNMP polling is configured) Require verification of update server identity Require redundant NTP services User Identification Require IP-to-username mapping for user traffic Disable WMI probing if not required.1. Require an Authentication Profile with Failed Attempts to 3. SSH.1.2. 2.1. 2. 5.2. Path Monitoring.4. Require a dedicated service account for User-ID with minimal permissions (If a User-ID Agent or Integrated User-ID Agent is utilized) Forbid Interactive Login rights for the User-ID service account Require security policies restricting User-ID Agent traffic from crossing into untrusted zones. (For an HA pair) Dynamic Updates Require the Antivirus Update Schedule is set to Download and Install hourly.2. 2.3.2.4.2. require Link Monitoring. 2.5.4.1.1.2.3.5.1. 2.2.2.1. 2.3.2. 2.5. 2. 2. any file type. or both Forbid simultaneously enabling the Preemptive option. 2.1.4. 2.2. 2. WildFire Increase WildFire file size upload limits Require WildFire File Blocking profiles to include any application. email@address 23 25 26 27 28 30 30 31 32 33 33 34 36 37 37 38 38 39 40 41 .1.2. 2.1. Forbid User-ID on external and other non-trusted zones Require the use of User-ID’s Include/Exclude Networks section.5. 2.1. 2.4. Include only trusted internal networks.4. 2.Palo Alto Firewall Security Configuration Benchmark 7 7 2. 2.2. if UserID is enabled.3.2.3.1.2.3.3. and action set to forward Require a WildFire File Blocking profile for all security policies allowing Internet traffic flows. and configuring the Passive Link State to shutdown simultaneously.2.2. High Availability Require a fully-synchronized High Availability peer For High Availability.3. Require the Applications and Threats Update Schedule is set to Download and Install Daily. 2. Require forwarding of decrypted content Require all WildFire Session Information Settings to be enabled Require sending an alert for malware detected through WildFire Author Name.1. 2.1.3.3.5.3. 2. 2.5.3.1.1. Require the WildFire Update Schedule is set to Download and Install every 15 minutes.2. 3.2.3.2. 2.4. 2.1.6.6. Require all HTTP Header Logging options enabled Require a securely configured URL Filtering profile applied to all security policies allowing traffic to the Internet.6.2. Require the use of PAN-DB URL Filtering Require a URL Filtering profile with the action of “block” or “override” on the following categories: adult.1.4. 2.6. 2.2.6.5.6. phishing.6.5.4. hacking. 2.1.4.5.6.6. 2. 2. Require a securely configured Anti-Spyware profile applied to all security policies permitting traffic to the Internet. 2.2.1. Require a Data Filtering policy set to alert after a threshold of Credit Card or Social Security numbers are detected.1. Verify WildFire file submission and alerting is functioning as expected Security Profiles Require an Antivirus profile configured to block on all decoders except imap and pop3. 2. Require Passive DNS Monitoring enabled on all Anti-Spyware profiles in use. Require a securely configured Antivirus profile applied to all applicable security policies.6. malware.2. Require a Vulnerability Protection profile configured to block at least high and critical vulnerabilities. Require DNS Sinkholing on all Anti-spyware profiles in use. 2. 2.4.4. and set to default on medium.6.6.3.2.4. 2. 2. 2.6. Require a securely configured Vulnerability Protection Profile applied to all security policies allowing traffic. low. Author Name.3. Require an Anti-Spyware profile configured to block on all severity levels. proxyavoidance-and-anonymizers Forbid a utilized URL Filtering profile with any category set to “allow”. and threats. and informational vulnerabilities.6.1.6. email@address 43 45 45 46 48 51 52 53 54 55 56 56 57 58 60 60 . 2.3.1.2. categories.2.Palo Alto Firewall Security Configuration Benchmark 7 8 2. 2.1.6. Forbid using the Service setting of any in a security policy. Require SSL Inbound Inspection for all untrusted traffic destined for servers using SSL.Palo Alto Firewall Security Configuration Benchmark 7 9 2. Security Policies Require specific application policies when allowing traffic from an untrusted zone to a more trusted zone.1.3. and Loose Source Routing IP options.6.7.8. 2. Author Name.6. 2. Strict Source Routing. email@address 64 66 67 69 70 70 71 72 73 73 74 .1.6.7.6. and NOT set to allow for any scan type. 2. Decryption Require an SSL Forward Proxy policy for traffic destined to the Internet for all URL categories except financial-services and health-andmedicine.2. Require all zones have Zone Protection Profiles that drop Spoofed IP address.6. 2.4. Require a security policy denying any/all traffic at the bottom of the security policies ruleset. Malformed.1.8.1. 2.3.2. 2.1.6. 2. Require a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types attached to all untrusted zones.7.8. 2.2.1.1. 2.6. Require a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies attached to all untrusted zones. mismatched overlapping TCP segment.7. Require all zones have Zone Protection Profiles with all Reconnaissance Protection settings tuned and enabled. Retrieved February 12. November 4). from https://live. June 11). Retrieved February 12.p df CIS Microsoft Windows Server 2012 R2 benchmark. from https://live. May 25). References Allowing Specific IP Addresses to Access the Palo Alto Network Device. Retrieved February 10. from https://live. October 13). January 8). (2013.1.com/docs/DOC8125 Defining Granular Admin Role Profiles. from https://live. 2015.org/data/definitions/255.paloaltonetworks. (2014.paloaltonetworks.com/docs/DOC-5177 . Retrieved February 12. from https://benchmarks. July 30). Retrieved February 12.com/docs/DOC-8042 Application DDoS Mitigation. Retrieved February 12. May 7). Retrieved February 12.0.org/tools2/windows/CIS_Microsoft_Windows_Server_201 2_R2_Benchmark_v1. 2015. (2014.paloaltonetworks.com/docs/DOC-7912 CIS Cisco Firewall Benchmark v3. October 14). 2015. from http://cwe.pdf Common Weakness Enumeration CWE-255: Credentials Management.html Customer advisory: Security Impact of User-ID Misconfiguration. 2015.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v3. (2014.mitre.paloaltonetworks. 2015.paloaltonetworks.0.2. from https://benchmarks. (2012. 2015. (2014. (2015. Retrieved February 12.0. (2014.4.2. 2015. 2015.cisecurity.com/docs/DOC-7158 Best Practices for Securing User-ID Deployments. from https://live.cisecurity. February 7). 2015.com/docs/DOC-6801 How to Implement SSL Decryption. 2015. from https://live. Retrieved February 12. (2014.com/docs/DOC-3252 How to Deal with Conficker using DNS Sinkhole. (2014. October 2). (2014. Retrieved February 12. January 30). 2015. Retrieved February 12. from https://live. 2015. from https://live. Activate and Maximal Rate is Triggered. February 26). (2014. Retrieved February 12. (2014.paloaltonetworks.paloaltonetworks. 2015.com/docs/DOC-8703 How to Change the Admin Session Timeout Value. Retrieved February 12. Retrieved February 12.paloaltonetworks.com/docs/DOC-4994 How to Configure In-Band Management. (2015. Retrieved February 12.com/docs/DOC-1412 Author Name. from https://live. 2015.paloaltonetworks. (2014. February 7). Retrieved February 12.Palo Alto Firewall Security Configuration Benchmark 8 1 Dynamic Protocols on Palo Alto Networks Devices that Do Not Require Security Policies to Operate.paloaltonetworks. Retrieved February 12. 2015. January 26). Retrieved February 12. 2015.com/docs/DOC-8018 How to Configure the Device Login Banner. October 22).paloaltonetworks.paloaltonetworks.com/docs/DOC-7964 How to Configure WildFire. Retrieved February 12. 2015. from https://live.com/docs/DOC-5557 How to Check the Connectivity to Wildfire and Upload Status of Files.paloaltonetworks. March 31).com/docs/DOC-1153 How to Configure Minimum Password Complexity for User Accounts. from https://live. 2015.paloaltonetworks.com/docs/DOC-6628 How to Determine if Configured DoS Classify TCP SYN Cookie Alarm. from https://live. from https://live. 2015. October 29). from https://live.paloaltonetworks. July 31).com/docs/DOC-2670 How to Configure Group Mapping settings? (2014. (2015. (2014. October 1). Retrieved February 12. from https://live. (2014.paloaltonetworks. from https://live. February 7). 2015. from https://live. email@address .paloaltonetworks.com/docs/DOC-8114 Host Sweep Triggering Method in Zone Protection Profile. (2015. from https://live. July 27). (2014.paloaltonetworks. August 19). Retrieved February 12.nist.com/docs/DOC-1578 Understanding DoS Protection.com/docs/DOC-8246 R7-2014-16: Palo Alto Networks User-ID Credential Exposure.com/docs/DOC-1542 The NIST Authenticated NTP Service. 2015. Retrieved February 12. Retrieved February 12.gov/pml/div688/grp40/auth-ntp. (2014. Retrieved February 12. (2011. (2012. October 14). Retrieved February 12.ly/1GcbmD4 Security Bulletin: App-ID Cache Pollution. January 30). 2015.paloaltonetworks.com/docs/DOC-7321 PAN-OS 6.1 (English).paloaltonetworks. Retrieved February 12.paloaltonetworks.Palo Alto Firewall Security Configuration Benchmark 8 2 How to Setup SNMPv3 Polling. from https://live. (2010. January 21).com/docs/DOC-8250 PAN-OS Administrator's Guide 6. Retrieved February 12. 2015. September 21). (2015.html Threat Prevention Deployment Tech Note. 2015. July 18). 2015. (2012. Retrieved February 12. 2015.Windows 7 Content. (2014. Retrieved February 12.paloaltonetworks. email@address . (2013.com/docs/DOC-3469 Syn Cookie Operation.1 Web Interface Reference Guide (English). (2014. May 9). from https://live.nist.paloaltonetworks. (2015. from https://live. from https://live. Retrieved February 12.paloaltonetworks. 2015. from https://live.paloaltonetworks. from http://usgcb.paloaltonetworks. 2015.com/docs/DOC-3094 Tips for Managing Content Updates.com/docs/DOC-5078 Author Name. December 31). 2015. from https://live. (2013. from https://live.com/docs/DOC-4315 Security Policy Guidelines.com/docs/DOC-4037 How to Test WildFire with a Fake Malicious File. 2015. from https://live.gov/usgcb/microsoft/download_win7. March 11). 2015. Retrieved February 12.paloaltonetworks. 2015. from http://www. March 17). 2015. (2014. October 5). from https://live. Retrieved February 12.cfm The United States Government Configuration Baseline (USGCB) . from http://bit. Retrieved February 12. March 23). Retrieved February 12.com/docs/DOC-4075 WildFire Administrator's Guide 6.com/docs/DOC-6591 Using the Simple Network Management Protocol (SNMP). Retrieved February 12.paloaltonetworks. 2015. September 10). Retrieved February 12. 2015. 6. June 16). from https://live. Retrieved February 12. from https://live. from https://live.com/docs/DOC-3703 What Information is Submitted to the Palo Alto Networks when Enabling the Passive DNS Feature.paloaltonetworks. email@address . from https://live. from https://live.0.com/docs/DOC-2513 What are the Differences between DoS Protection and Zone Protection? (2014. from https://live.com/docs/DOC-4501 What could Cause a Large Number of Auth-Fail Events in the System Logs? (2014. August 2). (2014.paloaltonetworks.com/docs/DOC-6845 Author Name. (2014. from https://live. from https://live.paloaltonetworks. (2014. Retrieved February 12. from https://live. 2015.com/docs/DOC-7740 WildFire Fails Forwarding File to Cloud for Encrypted Traffic. (2012. 2015. July 4).PAN-OS 5. 2015. 2015. from https://live. February 7).paloaltonetworks. December 1).paloaltonetworks.paloaltonetworks.com/docs/DOC-7256 What is "Enable Log on High DP Load" in PAN-OS 5. March 4).paloaltonetworks.paloaltonetworks. 2015. 2015. Retrieved February 12. February 7). 2015. Retrieved February 12. January 21).Palo Alto Firewall Security Configuration Benchmark 8 3 User-ID Best Practices .paloaltonetworks.paloaltonetworks. (2014.0? (2014. (2014.com/docs/DOC-4627 What are the Data Filtering Best Practices? (2015. Retrieved February 12. 2015. Testing and Monitoring. February 7). 2015. (2014. from https://live.1 (English). January 7).com/docs/DOC-8251 Wildfire Configuration. Retrieved February 12.com/docs/DOC-3300 WildFire Email Alerts: Subscribe or Add Additional Recipients.0. Retrieved February 12. Retrieved February 12. 1 1.1. email@address Changes for this version Original version Updated section 2.1 Author Name. Revision History Date 2/13/15 4/13/15 4/13/15 Version 1.1 4/13/15 1.7.1 Several links were broken in v.0 during Reading Room conversion. Updated section 2.1 Updated the introduction to include an acknowledgements section.0 1. Added the Revision History section .Palo Alto Firewall Security Configuration Benchmark 8 4 5.6.1 4/13/15 4/13/15 1.1.1 1.1. Jan 30. 2015 . 2015 Live Event ICS410 London 2015 London. 2015 . 2016 .Nov 23.Dec 05.Dec 02. VAUS Feb 03. 2015 . 2016 . 2015 Live Event SANS Las Vegas 2016 Las Vegas. CAUS Nov 30. TXUS Dec 03.Dec 19. NVUS Jan 09. 2016 Live Event Cyber Threat Intelligence Summit & Training Alexandria.Dec 04. 2016 .Jan 22. 2016 Live Event SANS Security East 2016 New Orleans. LAUS Jan 25.Feb 10.Last Updated: November 13th. 2016 Live Event Cyber Defence Delhi 2016 Delhi. AE Jan 09. 2015 Live Event Security Leadership Summit & Training Dallas. MAUS Dec 01. 2016 . AZUS Feb 08. GB Nov 30.Nov 23. 2016 . 2015 .Jan 14. 2015 . BE Jan 18. 2015 . 2015 Live Event HIMSS Boston. 2015 .Jan 14.Feb 13.Dec 04. 2016 . 2016 Live Event SANS Brussels Winter 2016 Brussels. 2015 Live Event SANS Cyber Defense Initiative 2015 Washington. 2016 Live Event SANS Dubai 2016 Dubai. 2015 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced . 2016 .Dec 05.Dec 10. ZA Nov 30. DCUS Dec 12.Jan 23. 2016 Live Event SANS London 2015 OnlineGB Nov 14. VAUS Nov 16. 2016 Live Event SANS Scottsdale 2016 Scottsdale. 2015 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location Pen Test Hackfest Summit & Training Alexandria. IN Nov 24. 2015 Live Event SANS Hyderabad 2015 Hyderabad. IN Jan 11. 2015 Live Event SANS Cape Town 2015 Cape Town. 2015 . 2015 Live Event SANS San Francisco 2015 San Francisco. 2015 .