DoD Compliance · STIG

Palo Alto Networks IDPS Security Technical Implementation Guide

V2R1 · · 5.5 years ago · Released 23 Oct 2020 · 29 rules

Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Digest of Updates vs. V1R4 · 24 Jan 2020 +29 −29

Comparison against the immediately-prior release (V1R4). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 29

V-207688 Medium The Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.
V-207689 Medium The Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.
V-207690 Medium The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.
V-207691 Medium In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
V-207692 Medium The Palo Alto Networks security platform must have a DoS Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.
V-207693 Medium The Palo Alto Networks security platform must detect and deny any prohibited mobile or otherwise malicious code at the enclave boundary.
V-207694 Medium The Palo Alto Networks security platform must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.
V-207695 Medium The Palo Alto Networks security platform must detect and drop any prohibited mobile or otherwise malicious code at internal boundaries.
V-207696 Medium The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SA when malicious code is detected.
V-207697 Medium The Palo Alto Networks security platform must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.
V-207698 Medium The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
V-207699 Medium The Palo Alto Networks security platform must block malicious ICMP packets.
V-207700 Medium To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-207701 Medium To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-207702 Low The Palo Alto Networks security platform must off-load log records to a centralized log server.
V-207703 Medium The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
V-207704 Medium The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.
V-207705 Medium Palo Alto Networks security platform components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.
V-207706 Medium The Palo Alto Networks security platform must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.
V-207707 Medium The Palo Alto Networks security platform must generate a log record when unauthorized network services are detected.
V-207708 Medium The Palo Alto Networks security platform must generate an alert to the ISSO and ISSM, at a minimum, when unauthorized network services are detected.
V-207709 Medium The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.
V-207710 Medium The Palo Alto Networks security platform must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
V-207711 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when intrusion detection events are detected which indicate a compromise or potential for compromise.
V-207712 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
V-207713 Medium The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when rootkits or other malicious software which allows unauthorized privileged or non-privileged access is detected.
V-207714 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.
V-207715 Medium The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
V-207716 Low The Palo Alto Networks security platform must off-load log records to a centralized log server in real-time.

Removed rules 29

V-62647 Medium The Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.
V-62649 Medium The Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.
V-62651 Medium The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.
V-62653 Medium In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
V-62655 Medium The Palo Alto Networks security platform must have a DoS Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.
V-62657 Medium The Palo Alto Networks security platform must detect and deny any prohibited mobile or otherwise malicious code at the enclave boundary.
V-62659 Medium The Palo Alto Networks security platform must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.
V-62661 Medium The Palo Alto Networks security platform must detect and drop any prohibited mobile or otherwise malicious code at internal boundaries.
V-62663 Medium The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SA when malicious code is detected.
V-62665 Medium The Palo Alto Networks security platform must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.
V-62667 Medium The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
V-62669 Medium The Palo Alto Networks security platform must block malicious ICMP packets.
V-62671 Medium To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.
V-62673 Medium To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
V-62675 Low The Palo Alto Networks security platform must off-load log records to a centralized log server.
V-62677 Medium The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).
V-62679 Medium The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.
V-62681 Medium Palo Alto Networks security platform components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.
V-62683 Medium The Palo Alto Networks security platform must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.
V-62685 Medium The Palo Alto Networks security platform must generate a log record when unauthorized network services are detected.
V-62687 Medium The Palo Alto Networks security platform must generate an alert to the ISSO and ISSM, at a minimum, when unauthorized network services are detected.
V-62689 Medium The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.
V-62691 Medium The Palo Alto Networks security platform must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.
V-62693 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when intrusion detection events are detected which indicate a compromise or potential for compromise.
V-62695 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.
V-62697 Medium The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when rootkits or other malicious software which allows unauthorized privileged or non-privileged access is detected.
V-62699 Medium The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.
V-62701 Medium The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.
V-62703 Low The Palo Alto Networks security platform must off-load log records to a centralized log server in real-time.

Sort by

Expand all

The Palo Alto Networks security platform must enable Antivirus, Anti-spyware, and Vulnerability Protection for all authorized traffic.

AC-4 - Medium - CCI-001368 - V-207688 - SV-207688r557390_rule

RMF Control

AC-4

Severity

CCI

CCI-001368

Version

PANW-IP-000001

Vuln IDs

V-207688
V-62647

Rule IDs

SV-207688r557390_rule
SV-77137

The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Restricting the flow of communications traffic, also known as Information flow control, regulates where information is allowed to travel as opposed to who is allowed to access the information and without explicit regard to subsequent accesses to that information. Traffic that is prohibited by the PPSM and Vulnerability Assessments must be denied by the policies configured in the Palo Alto Networks security platform; this is addressed in a separate requirement. Traffic that is allowed by the PPSM and Vulnerability Assessments must still be inspected by the IDPS capabilities of the Palo Alto Networks security platform known as Content-ID. Content-ID is enabled on a per rule basis using individual or group profiles to facilitate policy-based control over content traversing the network.

Checks: C-7942r358397_chk

Review the list of authorized applications, endpoints, services, and protocols that has been added to the PPSM database. Identify which traffic flows are authorized. Go to Objects >> Security Profiles >> Antivirus If there are no Antivirus Profiles configured other than the default, this is a finding. Go to Objects >> Security Profiles >> Anti-Spyware View the configured Anti-Spyware Profiles. If none are configured, this is a finding. Go to Objects >> Security Profiles >> Vulnerability Protection View the configured Vulnerability Protection Profiles. If none are configured, this is a finding. Review each of the configured security policies in turn. For any Security Policy that allows traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.

Fix: F-7942r358398_fix

Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn. Use these Profiles in the Security Policy or Policies that allows authorized traffic. To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the Action to "drop" or "reset-both". Select "OK". To create a Vulnerability Protection Profile: Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "drop" or "reset-both". In the "Host type" field, select "any", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". To configure an Anti-Spyware Profile: Go to Objects >> Security Profiles >> Anti-Spyware Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one. In the "Anti-Spyware Profile" window, complete the required fields in all tabs. In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one. Complete the required fields. For the Category field, select "any". For the Action field, select "Drop" or "reset-both". For the Severity field, select "All" or configured multiple rules, one for each Severity. Select "OK". Select "OK" again. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.

AU-3 - Medium - CCI-000133 - V-207689 - SV-207689r557390_rule

RMF Control

AU-3

Severity

CCI

CCI-000133

Version

PANW-IP-000007

Vuln IDs

V-207689
V-62649

Rule IDs

SV-207689r557390_rule
SV-77139

Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack. While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail. Palo Alto Networks security platform has four options for the source of log records - "FQDN", "hostname", "ipv4-address", and "ipv6-address". This requirement only allows the use of "ipv4-address" and "ipv6-address" as options.

Checks: C-7943r358400_chk

Go to Device >> Setup >> Management In the "General Settings" window, if the "hostname" field does not contain a unique identifier, this is a finding. Go to Device >> Setup >> Management In the "Logging and Reporting Settings" pane, if the "Send Hostname in Syslog" does not show either "ipv4-address" or "ipv6-address", this is a finding.

Fix: F-7943r358401_fix

Set a unique hostname. Go to Device >> Setup >> Management In the "General Settings" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "General Settings" window, in the "hostname" field; enter a unique hostname. Select "OK". Configure the device to send either the FQDN, hostname, ipv4-address, or ipv6-address with log messages. Device >> Setup >> Management Click the "Edit" icon in the "Logging and Reporting Settings" section. Select the "Log Export and Reporting" tab. Select one of the following options from the "Send Hostname" in the "Syslog" drop-down list: ipv4-address —Uses the IPv4 address of the interface used to send logs on the device. By default, this is the management interface of the device. ipv6-address —Uses the IPv6 address of the interface used to send logs on the device. By default, this is the management interface of the device. Note that the last two selections must be consistent with the IP address used by the management interface. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.

AU-3 - Medium - CCI-000134 - V-207690 - SV-207690r559743_rule

RMF Control

AU-3

Severity

CCI

CCI-000134

Version

PANW-IP-000008

Vuln IDs

V-207690
V-62651

Rule IDs

SV-207690r559743_rule
SV-77141

Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack. The logs should identify what servers, destination addresses, applications, or databases were potentially attacked by logging communications traffic between the target and the attacker. All commands that were entered by the attacker (such as account creations, changes in permissions, files accessed, etc.) during the session should also be logged when capturing for forensic analysis. Packet captures of attack traffic can be used by forensic tools for analysis for example, to determine if an alert is real or a false alarm or for forensics for threat intelligence. Configure the packet capture filters so that the CPU is not overloaded. There are many reasons for a packet capture. This requirement addresses the case where the capture is based on forensics for a detected malicious attack and the traffic is being captured in association with that traffic. Filtering should be engaged to facilitate forensics.

Checks: C-7944r358403_chk

Go to Objects >> Security Profiles >> Antivirus View the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding. Go to Objects >> Security Profiles >> Anti-Spyware View the configured Anti-Spyware Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding. Go to Objects >> Security Profiles >> Vulnerability Protection View the configured Vulnerability Protection Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding. Go to Policies >> Security Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.

Fix: F-7944r559742_fix

This procedure will only capture the first packet. See the vendor documentation for further information. Go to Objects >> Security Profiles >> Antivirus Select the name of a configured Antivirus Profile or select "Add" to create a new one. In the "Antivirus Profile" window, complete the required fields. In the "Antivirus" tab, select the "Packet Capture" check box. Select "OK". Configure an Anti-Spyware Profile to capture detected malicious traffic. Go to Objects >> Security Profiles >> Anti-Spyware Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one. In the "Anti-Spyware Profile" window, complete the required fields in all tabs. In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one. In the "Anti-Spyware Rule" window, in the "Packet Capture" field, select "extended-capture". Select "OK". Select "OK" again. Configure a Vulnerability Protection Profile to capture detected malicious traffic. Go to Objects >> Security Profiles >> Vulnerability Protection Select the name of a configured Vulnerability Protection Profile or select "Add" to create a new one. In the "Vulnerability Protection Profile" window, complete the required fields. In the "Rules" tab, select the name of a configured Vulnerability Protection Rule or select "Add" to create a new one. In the "Vulnerability Protection Rule" window, in the "Packet Capture" field, select "extended-capture". Select "OK". Select "OK" again. Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions tab in the Profile Setting section: In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured Anti-Spyware Profile. In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.

AU-5 - Medium - CCI-000140 - V-207691 - SV-207691r557390_rule

RMF Control

AU-5

Severity

CCI

CCI-000140

Version

PANW-IP-000010

Vuln IDs

V-207691
V-62653

Rule IDs

SV-207691r557390_rule
SV-77143

It is critical that when the Palo Alto Networks security platform is at risk of failing to process audit logs as required, it takes action to mitigate the failure. The Palo Alto Networks security platform performs a critical security function, so its continued operation is imperative. Since availability of the Palo Alto Networks security platform is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.

Checks: C-7945r358406_chk

Note: overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform. Go to Device >> Setup In the "Logging and Reporting Settings" pane, if the "Stop Traffic when LogDb Full" checkbox is selected, this is a finding.

Fix: F-7945r358407_fix

Note: Overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform. Go to Device >> Setup In the "Logging and Reporting Settings" pane, select the "Edit" icon in the upper-right corner. In the "Logging and Reporting Settings" window, in the "Log Export and Reporting" tab, deselect (uncheck) the "Stop Traffic when LogDb Full" checkbox. If it is already not selected, do not change it. Switch back to the "Log Storage" tab. Select "OK". If no changes were made, it is not necessary or possible to commit a change. If a change was made, commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must have a DoS Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.

SC-5 - Medium - CCI-001095 - V-207692 - SV-207692r557390_rule

RMF Control

SC-5

Severity

CCI

CCI-001095

Version

PANW-IP-000018

Vuln IDs

V-207692
V-62655

Rule IDs

SV-207692r557390_rule
SV-77145

The Palo Alto Networks security platform must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave. Installation of Palo Alto Networks security platform detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. To comply with this requirement, the Palo Alto Networks security platform must inspect outbound traffic for indications of known and unknown DoS attacks. Sensor log capacity management along with techniques which prevent the logging of redundant information during an attack also guard against DoS attacks. This requirement is used in conjunction with other requirements which require configuration of security policies, signatures, rules, and anomaly detection techniques and are applicable to both inbound and outbound traffic.

Checks: C-7946r358409_chk

Go to Objects >> Security Profiles >> DoS Protection If there are no DoS Protection Profiles configured, this is a finding. There may be more than one configured DoS Protection Profile; ask the Administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks. If there is no such DoS Protection Profile, this is a finding.

Fix: F-7946r358410_fix

Go to Objects >> Security Profiles >> DoS Protection Select "Add" to create a new profile. In the "DoS Protection Profile" window, complete the required fields. For the Type, select "Classified". In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select either "Random Early Drop" (preferred in this case) or "SYN Cookie". In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Resources Protection" tab, leave the "Maximum Concurrent Sessions" check box unselected. Select "OK". Go to Policies >> DoS Protection Select "Add" to create a new policy. In the "DoS Rule" Window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, for "Zone", select the "Internal zone", for "Source Address", select "Any". In the "Destination" tab, "Zone", select "External zone", for "Destination Address", select "Any". In the "Option/Protection" tab: For "Service", select "Any". For "Action", select "Protect". Select the "Classified" check box. In the "Profile" field, select the configured DoS Protection profile for outbound traffic. In the "Address field", select "source-ip-only". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must detect and deny any prohibited mobile or otherwise malicious code at the enclave boundary.

SC-18 - Medium - CCI-001662 - V-207693 - SV-207693r557390_rule

RMF Control

SC-18

Severity

CCI

CCI-001662

Version

PANW-IP-000020

Vuln IDs

V-207693
V-62657

Rule IDs

SV-207693r557390_rule
SV-77147

Checks: C-7947r358412_chk

Go to Objects >> Security Profiles >> Antivirus. If there are no Antivirus Profiles configured other than the default, this is a finding. View the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB). If the “Action” is anything other than “deny”, this is a finding. Go to Policies >> Security. Review each of the configured security policies in turn. For any Security Policy that affects traffic from an outside (untrusted) zone, view the "Profile" column. If the "Profile" column does not display the “Antivirus Profile” symbol, this is a finding

Fix: F-7947r358413_fix

To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus. Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the “Action” to "deny". Select "OK". Use the Profile in a Security Policy: Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab" in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". Use the Antivirus Profile in a Security Policy applied to traffic from an outside (untrusted) zone. Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab in the Profile Setting section: ; iIn the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured Anti-Spyware Profile. In the "Vulnerability Protection" field, select the configured “Vulnerability Protection Profile”. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.

SI-3 - Medium - CCI-001240 - V-207694 - SV-207694r557390_rule

RMF Control

SI-3

Severity

CCI

CCI-001240

Version

PANW-IP-000024

Vuln IDs

V-207694
V-62659

Rule IDs

SV-207694r557390_rule
SV-77149

Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. The IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be updated, including application software files, anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures. Updates must be installed in accordance with the CCB procedures for the local organization. However, at a minimum: Updates designated as critical security updates by the vendor must be installed immediately. Updates for signature definitions, detection heuristics, and vendor-provided rules must be installed immediately. Updates for application software are installed in accordance with the CCB procedures. Prior to automatically installing updates, either manual or automated integrity and authentication checking is required, at a minimum, for application software updates.

Checks: C-7948r358415_chk

Since some networks cannot connect to the vendor site for automatic updates, a manual process can be used. To verify that the Palo Alto Networks security platform is using the current Applications and Threats database should be checked by viewing the Dashboard and the version and date compared to the latest release. Go to Dashboard; in the General Information pane, view the Threat Version and Antivirus Version. If they are not the most current version as listed on the Palo Alto Networks support site, this is a finding. The following check applies if the network is authorized to connect to the Vendor site for automatic updates. To verify that automatic updates are configured, Go to Device >> Dynamic Updates If no entries for "Applications and Threats" are present, this is a finding. If the "Applications and Threats" entry states "Download Only", this is a finding.

Fix: F-7948r358416_fix

Go to Device >> Dynamic Updates Select "Check Now" at the bottom of the page to retrieve the latest signatures. To schedule automatic signature updates. Note: the steps provided below do not account for local change management policies. Go to Device >> Dynamic Updates Select the text to the right of "Schedule". In the "Applications and Threat Updates Schedule" window; complete the required information. In the "Recurrence" field, select "Daily". In the "Time" field, enter the time at which you want the device to check for updates. For the "Action", select "Download and Install". Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears. If manual updates are used, an Administrator must obtain updates from the Palo Alto Networks support site and upload them from a workstation or server to the Palo Alto Networks security platform. Go to Device >> Dynamic Updates Select "Upload" (at the bottom of the pane). In the "Select Package Type for the Upload" window in the "Package Type" field, select "anti-virus". Browse to and select the appropriate file. Select "OK". Select "Install From File" (at the bottom of the pane). In the "Select Package Type for Installation" window, select "antivirus". Select "OK". In the "Install Application and Threats From File" window, select the previously uploaded file. Select "OK".

The Palo Alto Networks security platform must detect and drop any prohibited mobile or otherwise malicious code at internal boundaries.

SI-3 - Medium - CCI-001243 - V-207695 - SV-207695r557390_rule

RMF Control

SI-3

Severity

CCI

CCI-001243

Version

PANW-IP-000026

Vuln IDs

V-207695
V-62661

Rule IDs

SV-207695r557390_rule
SV-77151

Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded within Microsoft Office documents. Mobile code can be exploited to attack a host. It can be sent as an e-mail attachment or embedded in other file formats not traditionally associated with executable code. While the IDPS cannot replace the anti-virus and host-based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented, which provide preemptive defense against both known and zero-day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors. The Palo Alto Networks security platform allows customized profiles to be used to perform antivirus inspection for traffic between zones. Antivirus, anti-spyware, and vulnerability protection features require a specific license. There is a default Antivirus Profile; the profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while dropping for FTP, HTTP, and SMB protocols. However, these default actions cannot be edited and the values for the FTP, HTTP, and SMB protocols do not meet the requirement, so customized profiles must be used.

Checks: C-7949r358418_chk

Go to Objects >> Security Profiles >> Antivirus. If there are no Antivirus Profiles configured other than the default, this is a finding. View the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB). If the "Action" is anything other than "drop" or "reset-both", this is a finding. Go to Policies >> Security. Review each of the configured security policies in turn. For any Security Policy that affects traffic between internal Zones (interzone), view the "Profile" column. If the "Profile" column does not display the “Antivirus Profile” symbol, this is a finding.

Fix: F-7949r358419_fix

To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus. Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the "Action" to "drop" or "reset-both". Select "OK". Use the Antivirus Profile in a Security Policy: Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears. Use the Antivirus Profile in a Security Policy applied to traffic between internal zones. Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab in the “Profile Setting” section;: Iin the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured “Anti-Spyware” Profile. In the "Vulnerability Protection" field, select the configured “Vulnerability Protection Profile”. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears

The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SA when malicious code is detected.

SI-3 - Medium - CCI-001243 - V-207696 - SV-207696r557390_rule

RMF Control

SI-3

Severity

CCI

CCI-001243

Version

PANW-IP-000028

Vuln IDs

V-207696
V-62663

Rule IDs

SV-207696r557390_rule
SV-77153

Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded. The IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident. When the Palo Alto Networks security platform blocks malicious code, it also generates a record in the threat log. This message has a medium severity.

Checks: C-7950r358421_chk

The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function. Go to Device >> Server Profiles >> Email If there is no Email Server Profile configured, this is a finding. Go to Objects >> Log forwarding If there is no Email Forwarding Profile configured, this is a finding. Go to Policies >> Security View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.

Fix: F-7950r358422_fix

The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the "Email Server Profile" field, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. In the "Name" field, enter the name of the Email server. In the "Email Display" Name field, enter the name shown in the "From" field of the email. In the "From" field, enter the "From email address". In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". After you create the Server Profiles that define where to send your logs, you must enable log forwarding. Threat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to Email server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Name" Field, enter the name of the Log Forwarding Profile. In the "Threat Settings Section" in the "Email" column, select the Email server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. For Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the "Profile column" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule. In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Note that the "Log Forwarding" field can only have one profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must automatically install updates to signature definitions, detection heuristics, and vendor-provided rules.

SI-3 - Medium - CCI-001247 - V-207697 - SV-207697r557390_rule

RMF Control

SI-3

Severity

CCI

CCI-001247

Version

PANW-IP-000029

Vuln IDs

V-207697
V-62665

Rule IDs

SV-207697r557390_rule
SV-77155

Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. An automatic update process ensures this important task is performed without the need for SCA intervention. The IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be automatically updated, including anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures. If a DoD patch management server or update repository having the tested/verified updates is available for the device component, the components must be configured to automatically check this server/site for updates and install new updates. If a DoD server/site is not available, the component must be configured to automatically check a trusted vendor site for updates. A trusted vendor is either commonly used by DoD, specifically approved by DoD, the vendor from which the equipment was purchased, or approved by the local program's CCB.

Checks: C-7951r358424_chk

To verify that automatic updates are configured: Go to Device >> Dynamic Updates If no entries for "Applications and Threats" are present, this is a finding. If the "Applications and Threats" entry states "Download Only", this is a finding.

Fix: F-7951r358425_fix

The Palo Alto Networks security platform must block outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

SI-11 - Medium - CCI-001312 - V-207698 - SV-207698r557390_rule

RMF Control

SI-11

Severity

CCI

CCI-001312

Version

PANW-IP-000030

Vuln IDs

V-207698
V-62667

Rule IDs

SV-207698r557390_rule
SV-77157

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker. Three ICMP messages are commonly used by attackers for network mapping: Destination Unreachable, Redirect, and Address Mask Reply. These responses must be blocked on external interfaces; however, blocking the Destination Unreachable response will prevent Path Maximum Transmission Unit Discovery (PMTUD), which relies on the response "ICMP Destination Unreachable--Fragmentation Needed but DF Bit Set". PMTUD is a useful function and should only be "broken" after careful consideration. An acceptable alternative to blocking all Destination Unreachable responses is to filter Destination Unreachable messages generated by the IDPS to allow ICMP Destination Unreachable-Fragmentation Needed but DF Bit Set (Type 3, Code 4) and apply this filter to the external interfaces.

Checks: C-7952r358427_chk

Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding. If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding. Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding. This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.

Fix: F-7952r358428_fix

Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Create three custom Applications to identify ICMP Type 3, 5, and 18: Go to Objects >> Applications Select "Add". In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields. In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol. In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18. Use these three Application filters in a Security Policy. To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "internal". For the "Source Address" field, select "any". In the "Destination" tab, for the "Destination Address" field, select "any". Note: The "Destination Zone" window will be grayed out (unable to enter parameters). In the "Applications" tab, select the three application filters configured above. In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must block malicious ICMP packets.

SI-11 - Medium - CCI-001312 - V-207699 - SV-207699r557390_rule

RMF Control

SI-11

Severity

CCI

CCI-001312

Version

PANW-IP-000031

Vuln IDs

V-207699
V-62669

Rule IDs

SV-207699r557390_rule
SV-77159

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, ICMP can be misused to provide a covert channel. ICMP tunneling is when an attacker injects arbitrary data into an echo packet and sends to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. The creates a covert channel where an attacker can hide commands sent to a compromised host or a compromised host can exfiltrate data.

Checks: C-7953r358430_chk

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes. Go to Policies >> Security View the identified Security Policy. If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding. If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding. Note: the exact number and name of zones is specific to the network. If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding. If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Fix: F-7953r358431_fix

To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "external". For the "Source Address" field, select "any". In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields. For the "Destination Zone" field, select the internal and DMZ zones. Note: the exact number and name of zones is specific to the network. For the "Destination Address" field, select "any". In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute". In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.

AC-23 - Medium - CCI-002346 - V-207700 - SV-207700r557390_rule

RMF Control

AC-23

Severity

CCI

CCI-002346

Version

PANW-IP-000032

Vuln IDs

V-207700
V-62671

Rule IDs

SV-207700r557390_rule
SV-77161

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections. IDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.

Checks: C-7954r358433_chk

Go to Objects >> Security Profiles >> Vulnerability Protection If there are no Vulnerability Protection Profiles configured, this is a finding. Ask the Administrator which Vulnerability Protection Profile is used to protect database assets by blocking and alerting on attacks. View the configured Vulnerability Protection Profile; check the "Severity" and "Action" columns. If the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding. If the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding. Ask the Administrator which Security Policy is used to protect database assets. Go to Policies >> Security View the configured Security Policy; view the "Profile" column. If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding. Moving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied. If the specific Vulnerability Protection Profile is not listed, this is a finding.

Fix: F-7954r358434_fix

Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats. Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "block". In the "Host type" field, select "server", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". Add a second rule that alerts on low and informational threats. Apply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

To protect against unauthorized data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.

AC-23 - Medium - CCI-002346 - V-207701 - SV-207701r557390_rule

RMF Control

AC-23

Severity

CCI

CCI-002346

Version

PANW-IP-000033

Vuln IDs

V-207701
V-62673

Rule IDs

SV-207701r557390_rule
SV-77163

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information. Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections. IDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.

Checks: C-7955r358436_chk

Go to Objects >> Security Profiles >> Vulnerability Protection If there are no Vulnerability Protection Profiles configured, this is a finding. Ask the Administrator which Vulnerability Protection Profile is used to protect application assets by blocking and alerting on attacks. View the configured Vulnerability Protection Profile; check the "Severity" and "Action" columns. If the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding. If the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding. Ask the Administrator which Security Policy is used to protect application assets. Go to Policies >> Security View the configured Security Policy; view the "Profile" column. If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding. Moving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied. If the specific Vulnerability Protection Profile is not listed, this is a finding.

Fix: F-7955r358437_fix

The Palo Alto Networks security platform must off-load log records to a centralized log server.

AU-4 - Low - CCI-001851 - V-207702 - SV-207702r557390_rule

RMF Control

AU-4

Severity

CCI

CCI-001851

Version

PANW-IP-000039

Vuln IDs

V-207702
V-62675

Rule IDs

SV-207702r557390_rule
SV-77165

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted.

Checks: C-7956r358439_chk

To view a syslog server profile: Go to Device >> Server Profiles >> Syslog If there are no Syslog Server Profiles present, this is a finding. Select each Syslog Server Profile; if no server is configured, this is a finding. View the log-forwarding profile to determine which logs are forwarded to the syslog server. Go to Objects >> Log forwarding If no Log Forwarding Profile is present, this is a finding. The "Log Forwarding Profile" window has five columns. If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding. If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding. Go to Device >> Log Settings >> System Logs The list of Severity levels is displayed. If any of the Severity levels does not have a configured Syslog Profile, this is a finding. Go to Device >> Log Settings >> Config Logs If the "Syslog" field is blank, this is a finding.

Fix: F-7956r358440_fix

To create a syslog server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the Syslog Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". After you create the Server Profiles that define where to send your logs, you must enable log forwarding. The way to enable forwarding depends on the log type: Traffic Logs— Enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding. The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> System Logs The list of severity levels is displayed. Select a Server Profile for each severity level to forward. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK". Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> Config Logs Select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK". For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions >> Log forwarding Select the log forwarding profile from drop-down list. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds).

SC-5 - Medium - CCI-002385 - V-207703 - SV-207703r557390_rule

RMF Control

SC-5

Severity

CCI

CCI-002385

Version

PANW-IP-000041

Vuln IDs

V-207703
V-62677

Rule IDs

SV-207703r557390_rule
SV-77167

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users. Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Checks: C-7957r358442_chk

Go to Objects >> Security Profiles >> DoS Protection If there are no DoS Protection Profiles configured, this is a finding. Go to Policies >> DoS Protection If there are no DoS Protection Policies, this is a finding. There may be more than one configured DoS Protection Policy; ask the Administrator which DoS Protection Policy is intended to protect internal networks and DMZ networks from externally-originated DoS attacks. If there is no such DoS Protection Policy, this is a finding. If the DoS Protection Policy has no DoS Protection Profile, this is a finding.

Fix: F-7957r358443_fix

Go to Objects >> Security Profiles >> DoS Protection Select "Add" to create a new profile. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select "SYN Cookie". In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Resources Protection" tab, select the "Maximum Concurrent Sessions" check box. In the "Resources Protection" tab, complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied. Select "OK". Go to Policies >> DoS Protection Select "Add" to create a new policy. In the "DoS Rule" Window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, for "Zone", select the "External zone, for Source Address", select "Any". In the "Destination" tab, "Zone", select "Internal zone, for Destination Address", select "Any". In the "Option/Protection" tab, For "Service", select "Any". For "Action", select "Protect". Select the "Classified" check box. In the "Profile" field, select the configured DoS Protection profile for inbound traffic. In the "Address" field, select "destination-ip-only". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must use a Vulnerability Protection Profile that blocks any critical, high, or medium threats.

SC-5 - Medium - CCI-002385 - V-207704 - SV-207704r557390_rule

RMF Control

SC-5

Severity

CCI

CCI-002385

Version

PANW-IP-000043

Vuln IDs

V-207704
V-62679

Rule IDs

SV-207704r557390_rule
SV-77169

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage. Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks. This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Checks: C-7958r358445_chk

Go to Objects >> Security Profiles >> Vulnerability Protection If there are no Vulnerability Protection Profiles configured, this is a finding. Ask the Administrator which Vulnerability Protection Profile is used for interzone traffic. View the configured Vulnerability Protection Profiles; check the "Severity" and "Action" columns. If the Vulnerability Protection Profile used for interzone traffic does not block all critical, high, and medium threats, this is a finding. Go to Policies >> Security Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the Profile column. If the Profile column does not display the Vulnerability Protection Profile symbol, this is a finding.

Fix: F-7958r358446_fix

To create a Vulnerability Protection Profile: Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "block". In the "Host type" field, select "any", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". Use the Profile in a Security Policy; Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Palo Alto Networks security platform components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.

SI-4 - Medium - CCI-002656 - V-207705 - SV-207705r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002656

Version

PANW-IP-000045

Vuln IDs

V-207705
V-62681

Rule IDs

SV-207705r557390_rule
SV-77171

An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access. Integration is more than centralized logging and a centralized management console. The enclave's monitoring capability may include multiple sensors, IPS, sensor event databases, behavior-based monitoring devices, application-level content inspection systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Some tools may monitor external traffic while others monitor internal traffic at key boundaries. These capabilities may be implemented using different devices and therefore can have different security policies and severity-level schema. This is valuable because content filtering, monitoring, and prevention can become a bottleneck on the network if not carefully configured.

Checks: C-7959r358448_chk

Go to Device >> Server Profiles >> NetFlow If no NetFlow Server Profiles are configured, this is a finding. This step assumes that it is an Ethernet interface that is being monitored. The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Ask the Administrator which interface is being monitored; there may be more than one. Go to Network >> Interfaces >> Ethernet Select the interface that is being monitored. If the "NetFlow Profile" field is "None", this is a finding.

Fix: F-7959r358449_fix

To create a NetFlow Server Profile: Go to Device >> Server Profiles >> NetFlow Select Add. In the "NetFlow Server Profile" window, complete the required fields. In the "Name" field, enter the name of the NetFlow Server Profile. In the "Minutes" field, enter the number of minutes after which the NetFlow template is refreshed. In the "Packets" field, enter the number of packets after which the NetFlow template is refreshed. In the "Active Timeout" field, enter the frequency (in minutes) the device exports records. Select the "PAN-OS Field Types" check box to export "App-ID" and "User-ID" fields. Select "Add" to add a NetFlow collector. In the "Name" field, enter the name of the server. In the "NetFlow Server" field, enter the hostname or IP address of the server. In the "Port" field enter the port used by the NetFlow collector (default 2055). Select "OK". Assign the NetFlow server profile to the interfaces that carry the traffic to be analyzed. These steps assume that it is one of the Ethernet interfaces. The configuration is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Go to Network >> Interfaces >> Ethernet Select the interface that the traffic traverses. In the "Ethernet Interface" window, in the "NetFlow Profile" field, select the configured NetFlow Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.

SI-4 - Medium - CCI-002683 - V-207706 - SV-207706r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002683

Version

PANW-IP-000046

Vuln IDs

V-207706
V-62683

Rule IDs

SV-207706r557390_rule
SV-77173

Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Examples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing. To comply with this requirement, the IDPS may be configured to detect services either directly or indirectly (i.e., by detecting traffic associated with a service).

Checks: C-7960r358451_chk

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. If there is no list of unauthorized network services, this is a finding. If there are no configured security policies that specifically match the list of unauthorized network services, this is a finding. If the security policies do not deny the traffic associated with the unauthorized network services, this is a finding.

Fix: F-7960r358452_fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic. To create or edit a Security Policy: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must generate a log record when unauthorized network services are detected.

SI-4 - Medium - CCI-002684 - V-207707 - SV-207707r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002684

Version

PANW-IP-000047

Vuln IDs

V-207707
V-62685

Rule IDs

SV-207707r557390_rule
SV-77175

Checks: C-7961r358454_chk

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. To verify if a Security Policy logs denied traffic: Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, if neither the "Log at Session Start" nor the "Log at Session End" check boxes are checked, this is a finding.

Fix: F-7961r358455_fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic. To configure a Security Policy to log denied traffic: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must generate an alert to the ISSO and ISSM, at a minimum, when unauthorized network services are detected.

SI-4 - Medium - CCI-002684 - V-207708 - SV-207708r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002684

Version

PANW-IP-000048

Vuln IDs

V-207708
V-62687

Rule IDs

SV-207708r557390_rule
SV-77177

Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks: C-7962r358457_chk

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to block unauthorized network services. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.

Fix: F-7962r358458_fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that generates an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected. Configure a Server Profile for use with Log Forwarding Profile(s); if email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information: In the "Name" field, enter the name of the Email server In the "Email Display Name" field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.

SI-4 - Medium - CCI-002661 - V-207709 - SV-207709r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002661

Version

PANW-IP-000049

Vuln IDs

V-207709
V-62689

Rule IDs

SV-207709r557390_rule
SV-77179

If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against. Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.

Checks: C-7963r358460_chk

Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform. The specific security policy is based on the authorized endpoints, applications, and protocols. If it does not filter traffic passing between zones, this is a finding.

Fix: F-7963r358461_fix

The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols. To create or edit a Security Policy: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.

SI-4 - Medium - CCI-002662 - V-207710 - SV-207710r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002662

Version

PANW-IP-000050

Vuln IDs

V-207710
V-62691

Rule IDs

SV-207710r557390_rule
SV-77181

If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against. Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring. Unusual/unauthorized activities or conditions related to information system outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.

Checks: C-7964r358463_chk

Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform. If it does not filter traffic passing between zones, this is a finding.

Fix: F-7964r358464_fix

The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when intrusion detection events are detected which indicate a compromise or potential for compromise.

SI-4 - Medium - CCI-002664 - V-207711 - SV-207711r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002664

Version

PANW-IP-000051

Vuln IDs

V-207711
V-62693

Rule IDs

SV-207711r557390_rule
SV-77183

Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information. An Intrusion Detection and Prevention System must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.

Checks: C-7965r358466_chk

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile. If there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to block unauthorized network services. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.

Fix: F-7965r358467_fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. In the "Name" field, enter the name of the Email server. In the "Email Display" Name field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.

SI-4 - Medium - CCI-002664 - V-207712 - SV-207712r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002664

Version

PANW-IP-000052

Vuln IDs

V-207712
V-62695

Rule IDs

SV-207712r557390_rule
SV-77185

Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. Each Security Policy created in response to an IAVM or CTO must log violations of that particular Security Policy. For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.

Checks: C-7966r358469_chk

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to enforce policies issued by authoritative sources. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.

Fix: F-7966r358470_fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information: In the "Name" field, enter the name of the Email server. In the "Email Display Name" field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when rootkits or other malicious software which allows unauthorized privileged or non-privileged access is detected.

SI-4 - Medium - CCI-002664 - V-207713 - SV-207713r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002664

Version

PANW-IP-000053

Vuln IDs

V-207713
V-62697

Rule IDs

SV-207713r557390_rule
SV-77187

Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information. CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected. Alert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks: C-7967r358472_chk

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to filter traffic into the Internal or DMZ zones. If the "Profile" column does not display the Antivirus Profile symbol, this is a finding. If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding. If the "Profile" column does not display the Anti-spyware symbol, this is a finding. If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.

Fix: F-7967r358473_fix

This requires the use of an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile. Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn. Note: A custom Anti-spyware Profile or the Strict Anti-spyware Profile must be used instead of the Default Anti-spyware Profile. The selected Anti-spyware Profile must use the block action at the critical, high, and medium severity threat levels. Use the Antivirus Profile, Anti-spyware Profile, and the Vulnerability Protection Profile in a Security Policy that filters traffic to Internal and DMZ zones: Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. In the "Actions" tab in the "Log Setting" section, select "Log At Session End". This generates a traffic log entry for the end of a session and logs drop and deny entries. In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must send an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected.

SI-4 - Medium - CCI-002664 - V-207714 - SV-207714r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002664

Version

PANW-IP-000055

Vuln IDs

V-207714
V-62699

Rule IDs

SV-207714r557390_rule
SV-77189

Checks: C-7968r358475_chk

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. Go to Policies >> DoS Protection If there are no DoS Protection Policies, this is a finding. There may be more than one configured DoS Protection Policy. If there is no such DoS Protection Policy, this is a finding. In the "Log Forwarding" field, if there is no configured Log Forwarding Profile, this is a finding.

Fix: F-7968r358476_fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> DoS Protection Select "Add" to create a new policy or select the Name of the Policy to edit it. In the "DoS Rule" window, complete the required fields. In the "Option/Protection" tab, in the "Log Forwarding" field, select the configured Log Forwarding Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting DoD systems or malicious code adversely affecting the operations and/or security of DoD systems is detected.

SI-4 - Medium - CCI-002664 - V-207715 - SV-207715r557390_rule

RMF Control

SI-4

Severity

CCI

CCI-002664

Version

PANW-IP-000056

Vuln IDs

V-207715
V-62701

Rule IDs

SV-207715r557390_rule
SV-77191

Checks: C-7969r358478_chk

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to filter traffic between zones or subnets. If the "Profile" column does not display the Antivirus Profile symbol, this is a finding. If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.

Fix: F-7969r358479_fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Objects >> Security Profiles >> Antivirus Select "Add" to create a new Antivirus Profile or select the name of the profile to edit it. Use the Antivirus Profile in a Security Policy. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". In the "Actions" tab in the "Log Setting" section, select "Log At Session End". In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

The Palo Alto Networks security platform must off-load log records to a centralized log server in real-time.

AU-4 - Low - CCI-001851 - V-207716 - SV-207716r557390_rule

RMF Control

AU-4

Severity

CCI

CCI-001851

Version

PANW-IP-000058

Vuln IDs

V-207716
V-62703

Rule IDs

SV-207716r557390_rule
SV-77193

Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised. Off-loading is a common process in information systems with limited audit storage capacity. The audit storage on the device is used only in a transitory fashion until the system can communicate with the centralized log server designated for storing the audit records, at which point the information is transferred. However, DoD requires that the log be transferred in real-time which indicates that the time from event detection to off-loading is seconds or less. This does not apply to audit logs generated on behalf of the device itself (management).

Checks: C-7970r358481_chk

To view a syslog server profile: Go to Device >> Server Profiles >> Syslog If there are no Syslog Server Profiles present, this is a finding. Select each Syslog Server Profile; if no server is configured, this is a finding. View the log-forwarding profile to determine which logs are forwarded to the syslog server. Go to Objects >> Log forwarding If no Log Forwarding Profile is present, this is a finding. The Log Forwarding Profile window has five columns. If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding. If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding. Go to Device >> Log Settings >> System Logs The list of Severity levels is displayed. If any of the Severity levels does not have a configured Syslog Profile, this is a finding. Go to Device >> Log Settings >> Config Logs. If the "Syslog" field is blank, this is a finding.

Fix: F-7970r358482_fix

To create a syslog server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the Syslog Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop-down list. Select "OK. After you create the Server Profiles that define where to send your logs, you must enable log forwarding. The way you enable forwarding depends on the log type: Traffic Logs—You enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding. The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK. When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> System Logs The list of severity levels is displayed. You must select a Server Profile for each severity level you want to forward. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK. Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> Config Logs Select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK. For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions >> Log forwarding Select the log forwarding profile from drop-down list. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Added rules 29

Removed rules 29

Checks: C-7942r358397_chk

Fix: F-7942r358398_fix

Generate Mitigation Statement:

Checks: C-7943r358400_chk

Fix: F-7943r358401_fix

Generate Mitigation Statement:

Checks: C-7944r358403_chk

Fix: F-7944r559742_fix

Generate Mitigation Statement:

Checks: C-7945r358406_chk

Fix: F-7945r358407_fix

Generate Mitigation Statement:

Checks: C-7946r358409_chk

Fix: F-7946r358410_fix

Generate Mitigation Statement:

Checks: C-7947r358412_chk

Fix: F-7947r358413_fix

Generate Mitigation Statement:

Checks: C-7948r358415_chk

Fix: F-7948r358416_fix

Generate Mitigation Statement:

Checks: C-7949r358418_chk

Fix: F-7949r358419_fix

Generate Mitigation Statement:

Checks: C-7950r358421_chk

Fix: F-7950r358422_fix

Generate Mitigation Statement:

Checks: C-7951r358424_chk

Fix: F-7951r358425_fix

Generate Mitigation Statement:

Checks: C-7952r358427_chk

Fix: F-7952r358428_fix

Generate Mitigation Statement:

Checks: C-7953r358430_chk

Fix: F-7953r358431_fix

Generate Mitigation Statement:

Checks: C-7954r358433_chk

Fix: F-7954r358434_fix

Generate Mitigation Statement:

Checks: C-7955r358436_chk

Fix: F-7955r358437_fix

Generate Mitigation Statement:

Checks: C-7956r358439_chk

Fix: F-7956r358440_fix

Generate Mitigation Statement:

Checks: C-7957r358442_chk

Fix: F-7957r358443_fix

Generate Mitigation Statement:

Checks: C-7958r358445_chk

Fix: F-7958r358446_fix

Generate Mitigation Statement:

Checks: C-7959r358448_chk

Fix: F-7959r358449_fix

Generate Mitigation Statement:

Checks: C-7960r358451_chk

Fix: F-7960r358452_fix

Generate Mitigation Statement:

Checks: C-7961r358454_chk

Fix: F-7961r358455_fix

Generate Mitigation Statement:

Checks: C-7962r358457_chk

Fix: F-7962r358458_fix

Generate Mitigation Statement:

Checks: C-7963r358460_chk

Fix: F-7963r358461_fix

Generate Mitigation Statement:

Checks: C-7964r358463_chk

Fix: F-7964r358464_fix

Generate Mitigation Statement:

Checks: C-7965r358466_chk

Fix: F-7965r358467_fix

Generate Mitigation Statement:

Checks: C-7966r358469_chk

Fix: F-7966r358470_fix

Generate Mitigation Statement:

Checks: C-7967r358472_chk

Fix: F-7967r358473_fix

Generate Mitigation Statement: