Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the list of authorized applications, endpoints, services, and protocols that has been added to the PPSM database. Identify which traffic flows are authorized. Go to Objects >> Security Profiles >> Antivirus If there are no Antivirus Profiles configured other than the default, this is a finding. Go to Objects >> Security Profiles >> Anti-Spyware View the configured Anti-Spyware Profiles. If none are configured, this is a finding. Go to Objects >> Security Profiles >> Vulnerability Protection View the configured Vulnerability Protection Profiles. If none are configured, this is a finding. Review each of the configured security policies in turn. For any Security Policy that allows traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.
Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn. Use these Profiles in the Security Policy or Policies that allows authorized traffic. To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the Action to "drop" or "reset-both". Select "OK". To create a Vulnerability Protection Profile: Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "drop" or "reset-both". In the "Host type" field, select "any", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". To configure an Anti-Spyware Profile: Go to Objects >> Security Profiles >> Anti-Spyware Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one. In the "Anti-Spyware Profile" window, complete the required fields in all tabs. In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one. Complete the required fields. For the Category field, select "any". For the Action field, select "Drop" or "reset-both". For the Severity field, select "All" or configured multiple rules, one for each Severity. Select "OK". Select "OK" again. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Device >> Setup >> Management In the "General Settings" window, if the "hostname" field does not contain a unique identifier, this is a finding. Go to Device >> Setup >> Management In the "Logging and Reporting Settings" pane, if the "Send Hostname in Syslog" does not show either "ipv4-address" or "ipv6-address", this is a finding.
Set a unique hostname. Go to Device >> Setup >> Management In the "General Settings" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "General Settings" window, in the "hostname" field; enter a unique hostname. Select "OK". Configure the device to send either the ipv4-address, or ipv6-address with all log messages. Device >> Setup >> Management Click the "Edit" icon in the "Logging and Reporting Settings" section. Select the "Log Export and Reporting" tab. Select one of the following options from the "Send Hostname" in the "Syslog" drop-down list: ipv4-address —Uses the IPv4 address of the interface used to send logs on the device. By default, this is the management interface of the device. ipv6-address —Uses the IPv6 address of the interface used to send logs on the device. By default, this is the management interface of the device. Note that the addresses must be consistent with the IP address used by the management interface. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> Antivirus View the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding. Go to Objects >> Security Profiles >> Anti-Spyware View the configured Anti-Spyware Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding. Go to Objects >> Security Profiles >> Vulnerability Protection View the configured Vulnerability Protection Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding. Go to Policies >> Security Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.
This procedure will only capture the first packet. See the vendor documentation for further information. Go to Objects >> Security Profiles >> Antivirus Select the name of a configured Antivirus Profile or select "Add" to create a new one. In the "Antivirus Profile" window, complete the required fields. In the "Antivirus" tab, select the "Packet Capture" check box. Select "OK". Configure an Anti-Spyware Profile to capture detected malicious traffic. Go to Objects >> Security Profiles >> Anti-Spyware Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one. In the "Anti-Spyware Profile" window, complete the required fields in all tabs. In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one. In the "Anti-Spyware Rule" window, in the "Packet Capture" field, select "extended-capture". Select "OK". Select "OK" again. Configure a Vulnerability Protection Profile to capture detected malicious traffic. Go to Objects >> Security Profiles >> Vulnerability Protection Select the name of a configured Vulnerability Protection Profile or select "Add" to create a new one. In the "Vulnerability Protection Profile" window, complete the required fields. In the "Rules" tab, select the name of a configured Vulnerability Protection Rule or select "Add" to create a new one. In the "Vulnerability Protection Rule" window, in the "Packet Capture" field, select "extended-capture". Select "OK". Select "OK" again. Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions tab in the Profile Setting section: In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured Anti-Spyware Profile. In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Note: overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform. Go to Device >> Setup In the "Logging and Reporting Settings" pane, if the "Stop Traffic when LogDb Full" checkbox is selected, this is a finding.
Note: Overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform. Go to Device >> Setup In the "Logging and Reporting Settings" pane, select the "Edit" icon in the upper-right corner. In the "Logging and Reporting Settings" window, in the "Log Export and Reporting" tab, deselect (uncheck) the "Stop Traffic when LogDb Full" checkbox. If it is already not selected, do not change it. Switch back to the "Log Storage" tab. Select "OK". If no changes were made, it is not necessary or possible to commit a change. If a change was made, commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> DoS Protection If there are no DoS Protection Profiles configured, this is a finding. There may be more than one configured DoS Protection Profile; ask the Administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks. If there is no such DoS Protection Profile, this is a finding.
Go to Objects >> Security Profiles >> DoS Protection Select "Add" to create a new profile. In the "DoS Protection Profile" window, complete the required fields. For the Type, select "Classified". In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select either "Random Early Drop" (preferred in this case) or "SYN Cookie". In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Resources Protection" tab, leave the "Maximum Concurrent Sessions" check box unselected. Select "OK". Go to Policies >> DoS Protection Select "Add" to create a new policy. In the "DoS Rule" Window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, for "Zone", select the "Internal zone", for "Source Address", select "Any". In the "Destination" tab, "Zone", select "External zone", for "Destination Address", select "Any". In the "Option/Protection" tab: For "Service", select "Any". For "Action", select "Protect". Select the "Classified" check box. In the "Profile" field, select the configured DoS Protection profile for outbound traffic. In the "Address field", select "source-ip-only". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> Antivirus. If no Antivirus Profiles are configured other than the default, this is a finding. View the configured Antivirus Profiles for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB). If the "Action" is anything other than "drop" or "reset-both", this is a finding. Go to Policies >> Security. Review each of the configured security policies in turn. For any Security Policy that affects traffic from an outside (untrusted) zone, view the "Profile" column. If the "Profile" column does not display the “Antivirus Profile” symbol, this is a finding.
To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus. Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the “Action” to "deny", or “reset-both”. Select "OK". Use the Profile in a Security Policy: Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". Use the Antivirus Profile in a Security Policy applied to traffic from an outside (untrusted) zone. Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab in the Profile Setting section: In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured Anti-Spyware Profile. In the "Vulnerability Protection" field, select the configured “Vulnerability Protection Profile”. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Since some networks cannot connect to the vendor site for automatic updates, a manual process can be used. To verify that the Palo Alto Networks security platform is using the current Applications and Threats database should be checked by viewing the Dashboard and the version and date compared to the latest release. Go to Dashboard; in the General Information pane, view the Threat Version and Antivirus Version. If they are not the most current version as listed on the Palo Alto Networks support site, this is a finding. The following check applies if the network is authorized to connect to the Vendor site for automatic updates. To verify that automatic updates are configured, Go to Device >> Dynamic Updates If no entries for "Applications and Threats" are present, this is a finding. If the "Applications and Threats" entry states "Download Only", this is a finding.
Go to Device >> Dynamic Updates Select "Check Now" at the bottom of the page to retrieve the latest signatures. To schedule automatic signature updates. Note: the steps provided below do not account for local change management policies. Go to Device >> Dynamic Updates Select the text to the right of "Schedule". In the "Applications and Threat Updates Schedule" window; complete the required information. In the "Recurrence" field, select "Daily". In the "Time" field, enter the time at which you want the device to check for updates. For the "Action", select "Download and Install". Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears. If manual updates are used, an Administrator must obtain updates from the Palo Alto Networks support site and upload them from a workstation or server to the Palo Alto Networks security platform. Go to Device >> Dynamic Updates Select "Upload" (at the bottom of the pane). In the "Select Package Type for the Upload" window in the "Package Type" field, select "anti-virus". Browse to and select the appropriate file. Select "OK". Select "Install From File" (at the bottom of the pane). In the "Select Package Type for Installation" window, select "antivirus". Select "OK". In the "Install Application and Threats From File" window, select the previously uploaded file. Select "OK".
Go to Objects >> Security Profiles >> Antivirus. If there are no Antivirus Profiles configured other than the default, this is a finding. View the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB). If the "Action" is anything other than "drop" or "reset-both", this is a finding. Go to Policies >> Security. Review each of the configured security policies in turn. For any Security Policy that affects traffic between internal Zones (interzone), view the "Profile" column. If the "Profile" column does not display the “Antivirus Profile” symbol, this is a finding.
To create an Antivirus Profile: Go to Objects >> Security Profiles >> Antivirus. Select "Add". In the "Antivirus Profile" window, complete the required fields. Complete the "Name" and "Description" fields. In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the "Action" to "drop" or "reset-both". Select "OK". Use the Antivirus Profile in a Security Policy: Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears. Use the Antivirus Profile in a Security Policy applied to traffic between internal zones. Go to Policies >> Security. Select an existing policy rule or select "Add" to create a new one. In the "Actions” tab in the “Profile Setting” section;: Iin the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Antivirus" field, select the configured Antivirus Profile. In the "Anti-Spyware" field, select the configured “Anti-Spyware” Profile. In the "Vulnerability Protection" field, select the configured “Vulnerability Protection Profile”. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears
The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function. Go to Device >> Server Profiles >> Email If there is no Email Server Profile configured, this is a finding. Go to Objects >> Log forwarding If there is no Email Forwarding Profile configured, this is a finding. Go to Policies >> Security View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.
The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the "Email Server Profile" field, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. In the "Name" field, enter the name of the Email server. In the "Email Display" Name field, enter the name shown in the "From" field of the email. In the "From" field, enter the "From email address". In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". After you create the Server Profiles that define where to send your logs, you must enable log forwarding. Threat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to Email server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Name" Field, enter the name of the Log Forwarding Profile. In the "Threat Settings Section" in the "Email" column, select the Email server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. For Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the "Profile column" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule. In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Note that the "Log Forwarding" field can only have one profile. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
To verify that automatic updates are configured: Go to Device >> Dynamic Updates If no entries for "Applications and Threats" are present, this is a finding. If the "Applications and Threats" entry states "Download Only", this is a finding.
Go to Device >> Dynamic Updates Select "Check Now" at the bottom of the page to retrieve the latest signatures. To schedule automatic signature updates. Note: the steps provided below do not account for local change management policies. Go to Device >> Dynamic Updates Select the text to the right of "Schedule". In the "Applications and Threat Updates Schedule" Window; complete the required information. In the "Recurrence" field, select "Daily". In the "Time" field, enter the time at which you want the device to check for updates. For the "Action", select "Download and Install". Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding. If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding. Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding. This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.
Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages. Create three custom Applications to identify ICMP Type 3, 5, and 18: Go to Objects >> Applications Select "Add". In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields. In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol. In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18. Use these three Application filters in a Security Policy. To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "internal". For the "Source Address" field, select "any". In the "Destination" tab, for the "Destination Address" field, select "any". Note: The "Destination Zone" window will be grayed out (unable to enter parameters). In the "Applications" tab, select the three application filters configured above. In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator which Security Policy blocks traceroutes and ICMP probes. Go to Policies >> Security View the identified Security Policy. If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding. If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding. Note: the exact number and name of zones is specific to the network. If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding. If the "Actions" field does not show "Deny" as the resulting action, this is a finding.
To configure the security policy: Go to Policies >> Security Select "Add". In the "Security Policy Rule" window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, complete the "Source Zone" and "Source Address" fields. For the "Source Zone" field, select "external". For the "Source Address" field, select "any". In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields. For the "Destination Zone" field, select the internal and DMZ zones. Note: the exact number and name of zones is specific to the network. For the "Destination Address" field, select "any". In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute". In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> Vulnerability Protection If there are no Vulnerability Protection Profiles configured, this is a finding. Ask the Administrator which Vulnerability Protection Profile is used to protect database assets by blocking and alerting on attacks. View the configured Vulnerability Protection Profile; check the "Severity" and "Action" columns. If the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding. If the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding. Ask the Administrator which Security Policy is used to protect database assets. Go to Policies >> Security View the configured Security Policy; view the "Profile" column. If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding. Moving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied. If the specific Vulnerability Protection Profile is not listed, this is a finding.
Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats. Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "block". In the "Host type" field, select "server", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". Add a second rule that alerts on low and informational threats. Apply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> Vulnerability Protection. If there are no Vulnerability Protection Profiles configured, this is a finding.
Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This example profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats. Creating the Protection Profiles: 1. Go to Objects >> Security Profiles >> Vulnerability Protection and select "Add". 2. In the "Vulnerability Protection Profile" window, complete the following required fields: In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". 3. In the "Vulnerability Protection Rule" window, complete the required fields: In the "Rule Name" field, enter the Rule name. In the "Threat Name" field, select "any". In the "Action" field, select "block". In the "Host type" field, select "server". Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". 4. In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". 5. Add a second rule that alerts on low and informational threats. Apply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases. 1. Go to Policies >> Security. 2. Select an existing policy rule. 3. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. 4. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. 5. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
To view a syslog server profile: Go to Device >> Server Profiles >> Syslog If there are no Syslog Server Profiles present, this is a finding. Select each Syslog Server Profile; if no server is configured, this is a finding. View the log-forwarding profile to determine which logs are forwarded to the syslog server. Go to Objects >> Log forwarding If no Log Forwarding Profile is present, this is a finding. The "Log Forwarding Profile" window has five columns. If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding. If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding. Go to Device >> Log Settings >> System Logs The list of Severity levels is displayed. If any of the Severity levels does not have a configured Syslog Profile, this is a finding. Go to Device >> Log Settings >> Config Logs If the "Syslog" field is blank, this is a finding.
To create a syslog server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the Syslog Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop down list Select "OK". After you create the Server Profiles that define where to send your logs, you must enable log forwarding. The way to enable forwarding depends on the log type: Traffic Logs— Enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding. The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> System Logs The list of severity levels is displayed. Select a Server Profile for each severity level to forward. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK". Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> Config Logs Select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK". For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions >> Log forwarding Select the log forwarding profile from drop-down list. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> DoS Protection If there are no DoS Protection Profiles configured, this is a finding. Go to Policies >> DoS Protection If there are no DoS Protection Policies, this is a finding. There may be more than one configured DoS Protection Policy; ask the Administrator which DoS Protection Policy is intended to protect internal networks and DMZ networks from externally-originated DoS attacks. If there is no such DoS Protection Policy, this is a finding. If the DoS Protection Policy has no DoS Protection Profile, this is a finding.
Go to Objects >> Security Profiles >> DoS Protection Select "Add" to create a new profile. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select "SYN Cookie". In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Resources Protection" tab, select the "Maximum Concurrent Sessions" check box. In the "Resources Protection" tab, complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied. Select "OK". Go to Policies >> DoS Protection Select "Add" to create a new policy. In the "DoS Rule" Window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, for "Zone", select the "External zone, for Source Address", select "Any". In the "Destination" tab, "Zone", select "Internal zone, for Destination Address", select "Any". In the "Option/Protection" tab, For "Service", select "Any". For "Action", select "Protect". Select the "Classified" check box. In the "Profile" field, select the configured DoS Protection profile for inbound traffic. In the "Address" field, select "destination-ip-only". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Objects >> Security Profiles >> Vulnerability Protection If there are no Vulnerability Protection Profiles configured, this is a finding. Ask the Administrator which Vulnerability Protection Profile is used for interzone traffic. View the configured Vulnerability Protection Profiles; check the "Severity" and "Action" columns. If the Vulnerability Protection Profile used for interzone traffic does not block all critical, high, and medium threats, this is a finding. Go to Policies >> Security Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the Profile column. If the Profile column does not display the Vulnerability Protection Profile symbol, this is a finding.
To create a Vulnerability Protection Profile: Go to Objects >> Security Profiles >> Vulnerability Protection Select "Add". In the "Vulnerability Protection Profile" window, complete the required fields. In the "Name" field, enter the name of the Vulnerability Protection Profile. In the "Description" field, enter the description of the Vulnerability Protection Profile. In the "Rules" tab, select "Add". In the "Vulnerability Protection Rule" window, In the "Rule Name" field, enter the Rule name, In the "Threat Name" field, select "any", In the "Action" field, select "block". In the "Host type" field, select "any", Select the checkboxes above the "CVE" and "Vendor ID" boxes. In the "Severity" section, select the "critical", "high", and "medium" check boxes. Select "OK". In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK". Use the Profile in a Security Policy; Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Go to Device >> Server Profiles >> NetFlow If no NetFlow Server Profiles are configured, this is a finding. This step assumes that it is an Ethernet interface that is being monitored. The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Ask the Administrator which interface is being monitored; there may be more than one. Go to Network >> Interfaces >> Ethernet Select the interface that is being monitored. If the "NetFlow Profile" field is "None", this is a finding.
To create a NetFlow Server Profile: Go to Device >> Server Profiles >> NetFlow Select Add. In the "NetFlow Server Profile" window, complete the required fields. In the "Name" field, enter the name of the NetFlow Server Profile. In the "Minutes" field, enter the number of minutes after which the NetFlow template is refreshed. In the "Packets" field, enter the number of packets after which the NetFlow template is refreshed. In the "Active Timeout" field, enter the frequency (in minutes) the device exports records. Select the "PAN-OS Field Types" check box to export "App-ID" and "User-ID" fields. Select "Add" to add a NetFlow collector. In the "Name" field, enter the name of the server. In the "NetFlow Server" field, enter the hostname or IP address of the server. In the "Port" field enter the port used by the NetFlow collector (default 2055). Select "OK". Assign the NetFlow server profile to the interfaces that carry the traffic to be analyzed. These steps assume that it is one of the Ethernet interfaces. The configuration is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Go to Network >> Interfaces >> Ethernet Select the interface that the traffic traverses. In the "Ethernet Interface" window, in the "NetFlow Profile" field, select the configured NetFlow Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. If there is no list of unauthorized network services, this is a finding. If there are no configured security policies that specifically match the list of unauthorized network services, this is a finding. If the security policies do not deny the traffic associated with the unauthorized network services, this is a finding.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic. To create or edit a Security Policy: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. To verify if a Security Policy logs denied traffic: Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, if neither the "Log at Session Start" nor the "Log at Session End" check boxes are checked, this is a finding.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic. To configure a Security Policy to log denied traffic: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic. Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to block unauthorized network services. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.
Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that generates an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected. Configure a Server Profile for use with Log Forwarding Profile(s); if email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information: In the "Name" field, enter the name of the Email server In the "Email Display Name" field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform. The specific security policy is based on the authorized endpoints, applications, and protocols. If it does not filter traffic passing between zones, this is a finding.
The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols. To create or edit a Security Policy: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform. If it does not filter traffic passing between zones, this is a finding.
The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols. To create or edit a Security Policy: Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile. If there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to block unauthorized network services. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.
Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. In the "Name" field, enter the name of the Email server. In the "Email Display" Name field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to enforce policies issued by authoritative sources. Go to Policies >> Security Select the name of the security policy to view it. In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.
Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. To create an email server profile: Go to Device >> Server Profiles >> Email Select "Add". In the Email Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information: In the "Name" field, enter the name of the Email server. In the "Email Display Name" field, enter the name shown in the "From" field of the email. In the "From" field, enter the From email address. In the "To" field, enter the email address of the recipient. In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list. In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email. Select "OK". Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> Security Select "Add" to create a new security policy or select the name of the security policy to edit it. Configure the specific parameters of the policy by completing the required information in the fields of each tab. In the "Actions" tab, select the Log forwarding profile and select "Log at Session End". "Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to filter traffic into the Internal or DMZ zones. If the "Profile" column does not display the Antivirus Profile symbol, this is a finding. If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding. If the "Profile" column does not display the Anti-spyware symbol, this is a finding. If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.
This requires the use of an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile. Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn. Note: A custom Anti-spyware Profile or the Strict Anti-spyware Profile must be used instead of the Default Anti-spyware Profile. The selected Anti-spyware Profile must use the block action at the critical, high, and medium severity threat levels. Use the Antivirus Profile, Anti-spyware Profile, and the Vulnerability Protection Profile in a Security Policy that filters traffic to Internal and DMZ zones: Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile. In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile. In the "Actions" tab in the "Log Setting" section, select "Log At Session End". This generates a traffic log entry for the end of a session and logs drop and deny entries. In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. Go to Policies >> DoS Protection If there are no DoS Protection Policies, this is a finding. There may be more than one configured DoS Protection Policy. If there is no such DoS Protection Policy, this is a finding. In the "Log Forwarding" field, if there is no configured Log Forwarding Profile, this is a finding.
Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Policies >> DoS Protection Select "Add" to create a new policy or select the Name of the Policy to edit it. In the "DoS Rule" window, complete the required fields. In the "Option/Protection" tab, in the "Log Forwarding" field, select the configured Log Forwarding Profile. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog). View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding. View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile. View the Security Policies that are used to filter traffic between zones or subnets. If the "Profile" column does not display the Antivirus Profile symbol, this is a finding. If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.
Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients. Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding. Go to Objects >> Security Profiles >> Antivirus Select "Add" to create a new Antivirus Profile or select the name of the profile to edit it. Use the Antivirus Profile in a Security Policy. Go to Policies >> Security Select an existing policy rule or select "Add" to create a new one. In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile. Select "OK". In the "Actions" tab in the "Log Setting" section, select "Log At Session End". In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Select "OK". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
To view a syslog server profile: Go to Device >> Server Profiles >> Syslog If there are no Syslog Server Profiles present, this is a finding. Select each Syslog Server Profile; if no server is configured, this is a finding. View the log-forwarding profile to determine which logs are forwarded to the syslog server. Go to Objects >> Log forwarding If no Log Forwarding Profile is present, this is a finding. The Log Forwarding Profile window has five columns. If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding. If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding. Go to Device >> Log Settings >> System Logs The list of Severity levels is displayed. If any of the Severity levels does not have a configured Syslog Profile, this is a finding. Go to Device >> Log Settings >> Config Logs. If the "Syslog" field is blank, this is a finding.
To create a syslog server profile: Go to Device >> Server Profiles >> Syslog Select "Add". In the Syslog Server Profile, enter the name of the profile. Select "Add". In the "Servers" tab, enter the required information. Name: Name of the syslog server Server: Server IP address where the logs will be forwarded to Port: Default port 514 Facility: Select from the drop-down list. Select "OK. After you create the Server Profiles that define where to send your logs, you must enable log forwarding. The way you enable forwarding depends on the log type: Traffic Logs—You enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded. Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding. The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK. When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection). Configure the log-forwarding profile to select the logs to be forwarded to syslog server. Go to Objects >> Log forwarding The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s). Select "OK". When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile. System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> System Logs The list of severity levels is displayed. You must select a Server Profile for each severity level you want to forward. Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear. In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK. Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration. Go to Device >> Log Settings >> Config Logs Select the "Edit" icon (the gear symbol in the upper-right corner of the pane). In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile. Select "OK. For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules. Go to Policies >> Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions >> Log forwarding Select the log forwarding profile from drop-down list. Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.