CIS_Palo_Alto_Firewall_7_Benchmark_v1.0.0资源-CSDN文库

需积分: 10 115 浏览量 2019-09-08 19:27:12 上传评论收藏 1.76MB PDF 举报

Palo Alto 防火墙安全配置指南，其中有很对有使用的最佳实践。 Table of Contents Overview .................................................................................................................................................................. 7 Intended Audience ........................................................................................................................................... 7 Consensus Guidance ........................................................................................................................................ 7 Typographical Conventions ......................................................................................................................... 8 Scoring Information ........................................................................................................................................ 8 Profile Definitions ............................................................................................................................................ 9 Acknowledgements ...................................................................................................................................... 10 Recommendations ............................................................................................................................................. 11 1 Device Setup ................................................................................................................................................ 11 1.1 General Settings ................................................................................................................................. 12 1.1.1 Ensure 'Login Banner' is set (Scored) ............................................................................... 12 1.1.2 Ensure 'Enable Log on High DP Load' is enabled (Scored)....................................... 13 1.2 Management Interface Settings ................................................................................................... 14 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management (Scored) ........................................................................................................................ 14 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled (Scored) ........................................................................................... 16 1.2.3 Ensure HTTP and Telnet options are disabled for the Management Interface (Scored) ................................................................................................................................................... 18 1.2.4 Ensure valid certificate is set for browser-based administrator interface (Not Scored) ..................................................................................................................................................... 20 1.3 Minimum Password Requirements ............................................................................................ 22 1.3.1 Ensure 'Minimum Password Complexity' is enabled (Scored) ............................... 22 1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 (Scored) ....................... 24 1.3.3 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords (Scored) ................................................................................................................................................... 26 1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 days (Scored) ................................................................................................................................................... 28

资源推荐

资源详情

资源评论

CIS Palo Alto Firewall 7 Benchmark

v1.0.0 - 03-31-2017

 
2 | P a g e  
 
 
Table of Contents 
Overview .................................................................................................................................................................. 7 
Intended Audience ........................................................................................................................................... 7 
Consensus Guidance ........................................................................................................................................ 7 
Typographical Conventions ......................................................................................................................... 8 
Scoring Information ........................................................................................................................................ 8 
Profile Definitions ............................................................................................................................................ 9 
Acknowledgements ...................................................................................................................................... 10 
Recommendations ............................................................................................................................................. 11 
1 Device Setup ................................................................................................................................................ 11 
1.1 General Settings ................................................................................................................................. 12 
1.1.1 Ensure 'Login Banner' is set (Scored) ............................................................................... 12 
1.1.2 Ensure 'Enable Log on High DP Load' is enabled (Scored)....................................... 13 
1.2 Management Interface Settings ................................................................................................... 14 
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device 
management (Scored) ........................................................................................................................ 14 
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, 
HTTPS, or SNMP is enabled (Scored) ........................................................................................... 16 
1.2.3 Ensure HTTP and Telnet options are disabled for the Management Interface 
(Scored) ................................................................................................................................................... 18 
1.2.4 Ensure valid certificate is set for browser-based administrator interface (Not 
Scored) ..................................................................................................................................................... 20 
1.3 Minimum Password Requirements ............................................................................................ 22 
1.3.1 Ensure 'Minimum Password Complexity' is enabled (Scored) ............................... 22 
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12 (Scored) ....................... 24 
1.3.3 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords 
(Scored) ................................................................................................................................................... 26 
1.3.4 Ensure 'Required Password Change Period' is less than or equal to 90 days 
(Scored) ................................................................................................................................................... 28 

 
| P a g e  
 
3.5 Ensure 'Password Profiles' do not exist (Scored) ........................................................ 30 
3.6 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 (Scored) .. 31 
3.7 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 (Scored) .. 32 
3.8 Ensure 'Minimum Numeric Letters' is greater than or equal to 1 (Scored) ...... 33 
3.9 Ensure 'Minimum Special Characters' is greater than or equal to 1 (Scored) .. 34 
3.10 Ensure 'Block Username Inclusion' is enabled (Scored) ........................................ 35 
3.11 Ensure 'New Password Differs By Characters' is greater than or equal to 3 
(Scored) ................................................................................................................................................... 36 
4 Authentication Settings (for Device Mgmt) ............................................................................ 37 
4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device 
management (Scored) ........................................................................................................................ 37 
4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are 
properly configured (Scored) ......................................................................................................... 39 
5 SNMP Polling Settings ..................................................................................................................... 41 
5.1 Ensure 'V3' is selected for SNMP polling (Scored) ...................................................... 41 
6 Device Services Settings ................................................................................................................. 43 
6.1 Ensure 'Verify Update Server Identity' is enabled (Scored) .................................... 43 
6.2 Ensure redundant NTP servers are configured appropriately (Scored) ............. 45 
6.3 Ensure that the certificate securing Remote Access VPNs is valid (Not Scored)
 ..................................................................................................................................................................... 47 
User Identification ..................................................................................................................................... 49 
1 Ensure that IP addresses are mapped to usernames (Scored) ................................... 49 
2 Ensure that WMI probing is disabled (Scored) ................................................................ 51 
3 Ensure that User-ID is only enabled for internal trusted interfaces (Scored) ...... 53 
4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled (Scored) 55 
5 Ensure that the User-ID Agent has minimal permissions if User-ID is enabled 
(Scored) ................................................................................................................................................... 57 
6 Ensure that the User-ID service account does not have interactive logon rights 
(Scored) ................................................................................................................................................... 59 
7 Ensure remote access capabilities for the User-ID service account are forbidden. 
(Not Scored) ........................................................................................................................................... 61 

 
4 | P a g e  
 
2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into 
untrusted zones (Scored) ................................................................................................................. 63 
3 High Availability ......................................................................................................................................... 65 
3.1 Ensure a fully-synchronized High Availability peer is configured (Scored) ......... 65 
3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring 
(Scored) ................................................................................................................................................... 66 
3.3 Ensure 'Passive Link State' and 'Preemptive' are configured appropriately 
(Scored) ................................................................................................................................................... 68 
4 Dynamic Updates ....................................................................................................................................... 70 
4.1 Ensure 'Antivirus Update Schedule' is set to download and install updates hourly 
(Scored) ................................................................................................................................................... 70 
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install 
updates daily (Scored) ....................................................................................................................... 72 
5 Wildfire .......................................................................................................................................................... 74 
5.1 Ensure that WildFire file size upload limits are maximized (Scored) ..................... 74 
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file 
blocking profiles (Scored) ................................................................................................................ 76 
5.3 Ensure a WildFire file blocking profile is enabled for all security policies 
allowing Internet traffic flows (Scored)...................................................................................... 78 
5.4 Ensure forwarding of decrypted content to WildFire is enabled (Scored)............ 80 
5.5 Ensure all WildFire session information settings are enabled (Scored) ................ 82 
5.6 Ensure alerts are enabled for malicious files detected by WildFire (Scored) ...... 84 
5.7 Ensure 'WildFire Update Schedule' is set to download and install updates every 
15 minutes (Scored) ........................................................................................................................... 86 
6 Security Profiles ......................................................................................................................................... 88 
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' 
and 'pop3' (Scored) ............................................................................................................................. 88 
6.2 Ensure a secure antivirus profile is applied to all relevant security policies 
(Scored) ................................................................................................................................................... 90 
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity 
levels, categories, and threats (Scored) ...................................................................................... 92 
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use (Scored)
 ..................................................................................................................................................................... 94 