Palo Alto Networks IDPS Security Technical Implementation Guide

V1R2 2019-01-04       U_Palo_Alto_Networks_IDPS_STIG_V1R2_Manual-xccdf.xml
V1R1 2015-11-17       U_Palo_Alto_Networks_IDPS_STIG_V1R1_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Comparison
All 29
No Change 27
Updated 2
Added 0
Removed 0
V-62647 No Change
Findings ID: PANW-IP-000001 Rule ID: SV-77137r1_rule Severity: medium CCI: CCI-001368

Discussion

The flow of all communications traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data.

Restricting the flow of communications traffic, also known as Information flow control, regulates where information is allowed to travel as opposed to who is allowed to access the information and without explicit regard to subsequent accesses to that information.

Traffic that is prohibited by the PPSM and Vulnerability Assessments must be denied by the policies configured in the Palo Alto Networks security platform; this is addressed in a separate requirement. Traffic that is allowed by the PPSM and Vulnerability Assessments must still be inspected by the IDPS capabilities of the Palo Alto Networks security platform known as Content-ID. Content-ID is enabled on a per rule basis using individual or group profiles to facilitate policy-based control over content traversing the network.

Checks

Review the list of authorized applications, endpoints, services, and protocols that has been added to the PPSM database. Identify which traffic flows are authorized.

Go to Objects >> Security Profiles >> Antivirus
If there are no Antivirus Profiles configured other than the default, this is a finding.

Go to Objects >> Security Profiles >> Anti-Spyware
View the configured Anti-Spyware Profiles. If none are configured, this is a finding.

Go to Objects >> Security Profiles >> Vulnerability Protection
View the configured Vulnerability Protection Profiles. If none are configured, this is a finding.

Review each of the configured security policies in turn. For any Security Policy that allows traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.

Fix

Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn. Use these Profiles in the Security Policy or Policies that allows authorized traffic.
To create an Antivirus Profile:
Go to Objects >> Security Profiles >> Antivirus
Select "Add".
In the "Antivirus Profile" window, complete the required fields.
Complete the "Name" and "Description" fields.
In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the Action to "block".
Select "OK".

To create a Vulnerability Protection Profile:
Go to Objects >> Security Profiles >> Vulnerability Protection
Select "Add".
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Name" field, enter the name of the Vulnerability Protection Profile.
In the "Description" field, enter the description of the Vulnerability Protection Profile.
In the "Rules" tab, select "Add".
In the "Vulnerability Protection Rule" window,
In the "Rule Name" field, enter the Rule name,
In the "Threat Name" field, select "any",
In the "Action" field, select "block".
In the "Host type" field, select "any",
Select the checkboxes above the "CVE" and "Vendor ID" boxes.
In the "Severity" section, select the "critical", "high", and "medium" check boxes.
Select "OK".

In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK".
To configure an Anti-Spyware Profile:
Go to Objects >> Security Profiles >> Anti-Spyware
Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one.
In the "Anti-Spyware Profile" window, complete the required fields in all tabs.
In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one.
Complete the required fields.
For the Category field, select "any".
For the Action field, select "Block".
For the Severity field, select "All" or configured multiple rules, one for each Severity.
Select "OK".
Select "OK" again.

Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile.
In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile.
In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62649 No Change
Findings ID: PANW-IP-000007 Rule ID: SV-77139r1_rule Severity: medium CCI: CCI-000133

Discussion

Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack.

While auditing and logging are closely related, they are not the same. Logging is recording data about events that take place in a system, while auditing is the use of log records to identify security-relevant information such as system or user accesses. In short, log records are audited to establish an accurate history. Without logging, it would be impossible to establish an audit trail.

Palo Alto Networks security platform has four options for the source of log records - "FQDN", "hostname", "ipv4-address", and "ipv6-address". This requirement only allows the use of "ipv4-address" and "ipv6-address" as options.

Checks

Go to Device >> Setup >> Management
In the "General Settings" window, if the "hostname" field does not contain a unique identifier, this is a finding.

Go to Device >> Setup >> Management
In the "Logging and Reporting Settings" pane, if the "Send Hostname in Syslog" does not show either "ipv4-address" or "ipv6-address", this is a finding.

Fix

Set a unique hostname.
Go to Device >> Setup >> Management
In the "General Settings" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "General Settings" window, in the "hostname" field; enter a unique hostname.
Select "OK".

Configure the device to send either the FQDN, hostname, ipv4-address, or ipv6-address with log messages.
Device >> Setup >> Management
Click the "Edit" icon in the "Logging and Reporting Settings" section.
Select the "Log Export and Reporting" tab.
Select one of the following options from the "Send Hostname" in the "Syslog" drop-down list:
ipv4-address —Uses the IPv4 address of the interface used to send logs on the device. By default, this is the management interface of the device.
ipv6-address —Uses the IPv6 address of the interface used to send logs on the device. By default, this is the management interface of the device.
Note that the last two selections must be consistent with the IP address used by the management interface.
Select "OK".

Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62651 No Change
Findings ID: PANW-IP-000008 Rule ID: SV-77141r1_rule Severity: medium CCI: CCI-000134

Discussion

Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack.

The logs should identify what servers, destination addresses, applications, or databases were potentially attacked by logging communications traffic between the target and the attacker. All commands that were entered by the attacker (such as account creations, changes in permissions, files accessed, etc.) during the session should also be logged.

Packet captures of attack traffic can be used by forensic tools for analysis for example, to determine if an alert is real or a false alarm or for forensics for threat intelligence.

Checks

Go to Objects >> Security Profiles >> Antivirus
View the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding.

Go to Objects >> Security Profiles >> Anti-Spyware
View the configured Anti-Spyware Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Objects >> Security Profiles >> Vulnerability Protection
View the configured Vulnerability Protection Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Policies >> Security
Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.

Fix

Go to Objects >> Security Profiles >> Antivirus
Select the name of a configured Antivirus Profile or select "Add" to create a new one.
In the "Antivirus Profile" window, complete the required fields.
In the "Antivirus" tab, select the "Packet Capture" check box.
Select "OK".

Configure an Anti-Spyware Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Anti-Spyware
Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one.
In the "Anti-Spyware Profile" window, complete the required fields in all tabs.
In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one.
In the "Anti-Spyware Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Configure a Vulnerability Protection Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Vulnerability Protection
Select the name of a configured Vulnerability Protection Profile or select "Add" to create a new one.
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Rules" tab, select the name of a configured Vulnerability Protection Rule or select "Add" to create a new one.
In the "Vulnerability Protection Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy.
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions tab in the Profile Setting section:
In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Antivirus" field, select the configured Antivirus Profile.
In the "Anti-Spyware" field, select the configured Anti-Spyware Profile.
In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62653 No Change
Findings ID: PANW-IP-000010 Rule ID: SV-77143r1_rule Severity: medium CCI: CCI-000140

Discussion

It is critical that when the Palo Alto Networks security platform is at risk of failing to process audit logs as required, it takes action to mitigate the failure.

The Palo Alto Networks security platform performs a critical security function, so its continued operation is imperative. Since availability of the Palo Alto Networks security platform is an overriding concern, shutting down the system in the event of an audit failure should be avoided, except as a last resort.

Checks

Note: overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform.

Go to Device >> Setup
In the "Logging and Reporting Settings" pane, if the "Stop Traffic when LogDb Full" checkbox is selected, this is a finding.

Fix

Note: Overwriting the oldest audit records in a first-in-first-out manner is the default setting of the Palo Alto Networks security platform.

Go to Device >> Setup
In the "Logging and Reporting Settings" pane, select the "Edit" icon in the upper-right corner.
In the "Logging and Reporting Settings" window, in the "Log Export and Reporting" tab, deselect (uncheck) the "Stop Traffic when LogDb Full" checkbox. If it is already not selected, do not change it.
Switch back to the "Log Storage" tab.
Select "OK".

If no changes were made, it is not necessary or possible to commit a change. If a change was made, commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62655 No Change
Findings ID: PANW-IP-000018 Rule ID: SV-77145r1_rule Severity: medium CCI: CCI-001095

Discussion

The Palo Alto Networks security platform must include protection against DoS attacks that originate from inside the enclave which can affect either internal or external systems. These attacks may use legitimate or rogue endpoints from inside the enclave.

Installation of Palo Alto Networks security platform detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.

To comply with this requirement, the Palo Alto Networks security platform must inspect outbound traffic for indications of known and unknown DoS attacks. Sensor log capacity management along with techniques which prevent the logging of redundant information during an attack also guard against DoS attacks. This requirement is used in conjunction with other requirements which require configuration of security policies, signatures, rules, and anomaly detection techniques and are applicable to both inbound and outbound traffic.

Checks

Go to Objects >> Security Profiles >> DoS Protection
If there are no DoS Protection Profiles configured, this is a finding.

There may be more than one configured DoS Protection Profile; ask the Administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks.
If there is no such DoS Protection Profile, this is a finding.

Fix

Go to Objects >> Security Profiles >> DoS Protection
Select "Add" to create a new profile.
In the "DoS Protection Profile" window, complete the required fields.
For the Type, select "Classified".
In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select either "Random Early Drop" (preferred in this case) or "SYN Cookie".
In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Resources Protection" tab, leave the "Maximum Concurrent Sessions" check box unselected.
Select "OK".

Go to Policies >> DoS Protection
Select "Add" to create a new policy.
In the "DoS Rule" Window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, for "Zone", select the "Internal zone", for "Source Address", select "Any".
In the "Destination" tab, "Zone", select "External zone", for "Destination Address", select "Any".
In the "Option/Protection" tab:
For "Service", select "Any".
For "Action", select "Protect".
Select the "Classified" check box.
In the "Profile" field, select the configured DoS Protection profile for outbound traffic.
In the "Address field", select "source-ip-only".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62657 Updated
Findings ID: PANW-IP-000020 Rule ID: SV-77147r12_rule Severity: medium CCI: CCI-001662

Discussion

Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded within Microsoft Office documents. Mobile code can be exploited to attack a host. It can be sent as an e-mail attachment or embedded in other file formats not traditionally associated with executable code.

While the IDPS cannot replace the anti-virus and host-based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented, which provide preemptive defense against both known and zero-day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.

Checks

Go to Objects >> Security Profiles >> Antivirus.

If there are no Antivirus Profiles configured other than the default, this is a finding.

View the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB).


If the Action is anything other than block“deny, this is a finding.

Go to Policies >> Security
ty
Review each of the configured security policies in turn.
For any Security Policy that affects traffic from an outside (untrusted) zone, view the "Profile" column. . If the "Profile" column does not display the eAntivirus Profilef symbol, this is a finding.

Fix

To create an Antivirus Profile:
Go to Objects >> Security Profiles >> Antivirus
.

Select "Add".

In the "Antivirus Profile" window, complete the required fields.

Complete the "Name" and "Description" fields.


In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the
Action to "blockdeny".

Select "OK".

Use the Profile in a Security Policy:
Go to Policies >> Security
.

Select an existing policy rule or select "Add" to create a new one.

In the "Actions tab" in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles. s
In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile.

Select "OK".

Use the Antivirus Profile in a Security Policy applied to traffic from an outside (untrusted) zone.

Go to Policies >> Security.

Select an existing policy rule or select "Add" to create a new one.

In the "Actions tab in the Profile Setting section:
; iIn the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.

In the "Antivirus" field, select the configured Antivirus Profile.


In the "Anti-Spyware" field, select the configured Anti-Spyware Profile.

In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.l.
Select "OK".
O
Commit changes by selecting "Commit" in the upper-right corner of the screen.
eeSelect "OK" when the confirmation dialog appears.
V-62659 No Change
Findings ID: PANW-IP-000024 Rule ID: SV-77149r1_rule Severity: medium CCI: CCI-001240

Discussion

Failing to update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs.

The IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be updated, including application software files, anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures.

Updates must be installed in accordance with the CCB procedures for the local organization. However, at a minimum:
Updates designated as critical security updates by the vendor must be installed immediately.
Updates for signature definitions, detection heuristics, and vendor-provided rules must be installed immediately.
Updates for application software are installed in accordance with the CCB procedures.
Prior to automatically installing updates, either manual or automated integrity and authentication checking is required, at a minimum, for application software updates.

Checks

Since some networks cannot connect to the vendor site for automatic updates, a manual process can be used.

To verify that the Palo Alto Networks security platform is using the current Applications and Threats database should be checked by viewing the Dashboard and the version and date compared to the latest release.
Go to Dashboard; in the General Information pane, view the Threat Version and Antivirus Version. If they are not the most current version as listed on the Palo Alto Networks support site, this is a finding.

The following check applies if the network is authorized to connect to the Vendor site for automatic updates.
To verify that automatic updates are configured,
Go to Device >> Dynamic Updates
If no entries for "Applications and Threats" are present, this is a finding.
If the "Applications and Threats" entry states "Download Only", this is a finding.

Fix

Go to Device >> Dynamic Updates
Select "Check Now" at the bottom of the page to retrieve the latest signatures.
To schedule automatic signature updates.
Note: the steps provided below do not account for local change management policies.

Go to Device >> Dynamic Updates
Select the text to the right of "Schedule".
In the "Applications and Threat Updates Schedule" window; complete the required information.
In the "Recurrence" field, select "Daily".
In the "Time" field, enter the time at which you want the device to check for updates.
For the "Action", select "Download and Install".
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

If manual updates are used, an Administrator must obtain updates from the Palo Alto Networks support site and upload them from a workstation or server to the Palo Alto Networks security platform.
Go to Device >> Dynamic Updates
Select "Upload" (at the bottom of the pane).
In the "Select Package Type for the Upload" window in the "Package Type" field, select "anti-virus".
Browse to and select the appropriate file.
Select "OK".

Select "Install From File" (at the bottom of the pane).
In the "Select Package Type for Installation" window, select "antivirus".
Select "OK".

In the "Install Application and Threats From File" window, select the previously uploaded file.
Select "OK".
V-62661 Updated
Findings ID: PANW-IP-000026 Rule ID: SV-77151r12_rule Severity: medium CCI: CCI-001243

Discussion

Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Examples of mobile code include JavaScript, VBScript, Java applets, ActiveX controls, Flash animations, Shockwave videos, and macros embedded within Microsoft Office documents. Mobile code can be exploited to attack a host. It can be sent as an e-mail attachment or embedded in other file formats not traditionally associated with executable code.

While the IDPS cannot replace the anti-virus and host-based IDS (HIDS) protection installed on the network's endpoints, vendor or locally created sensor rules can be implemented, which provide preemptive defense against both known and zero-day vulnerabilities. Many of the protections may provide defenses before vulnerabilities are discovered and rules or blacklist updates are distributed by anti-virus or malicious code solution vendors.

The Palo Alto Networks security platform allows customized profiles to be used to perform antivirus inspection for traffic between zones.
Antivirus, anti-spyware, and vulnerability protection features require a specific license. There is a default Antivirus Profile; the profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blockdenying for FTP, HTTP, and SMB protocols. However, these default actions cannot be edited and the values for the FTP, HTTP, and SMB protocols do not meet the requirement, so customized profiles must be used.

Checks

Go to Objects >> Security Profiles >> Antivirus.

If there are no Antivirus Profiles configured other than the default, this is a finding.

View the configured Antivirus Profiles; for each protocol decoder (SMTP, IMAP, POP3, FTP, HTTP, SMB).


If the "Action" is anything other than "blockdeny", this is a finding.

Go to Policies >> Security
.

Review each of the configured security policies in turn.
For any Security Policy that affects traffic between internal Zones (interzone), view the "Profile" column.

If the "Profile" column does not display the Antivirus Profilel symbol, this is a finding.

Fix

To create an Antivirus Profile:
Go to Objects >> Security Profiles >> Antivirus
.

Select "Add".

In the "Antivirus Profile" window, complete the required fields.

Complete the "Name" and "Description" fields.

In the "Antivirus" tab, for all Decoders (SMTP, IMAP, POP3, FTP, HTTP, SMB protocols), set the "Action" to "blockdeny".

Select "OK".

Use the Antivirus Profile in a Security Policy:
Go to Policies >> Security
.

Select an existing policy rule or select "Add" to create a new one.

In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.

In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile.

Select "OK".

Commit changes by selecting "Commit" in the upper-right corner of the screen.


Select "OK" when the confirmation dialog appears.

Use the Antivirus Profile in a Security Policy applied to traffic between internal zones.

Go to Policies >> Security.

Select an existing policy rule or select "Add" to create a new one.


In the "Actions
tab in the Profile Setting section:;:
I
in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.

In the "Antivirus" field, select the configured Antivirus Profile.

In the "Anti-Spyware" field, select the configured Anti-Spywarer Profile.il
In the "Vulnerability Protection" field, select the configured
rVulnerability Protection Profile.r.fi
Select "OK".
c
Commit changes by selecting "Commit" in the upper-right corner of the screen.
scSelect "OK" when the confirmation dialog appears.
V-62663 No Change
Findings ID: PANW-IP-000028 Rule ID: SV-77153r1_rule Severity: medium CCI: CCI-001243

Discussion

Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.

The IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.

When the Palo Alto Networks security platform blocks malicious code, it also generates a record in the threat log. This message has a medium severity.

Checks

The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function.
Go to Device >> Server Profiles >> Email
If there is no Email Server Profile configured, this is a finding.

Go to Objects >> Log forwarding
If there is no Email Forwarding Profile configured, this is a finding.

Go to Policies >> Security
View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.

Fix

The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function.

To create an email server profile:
Go to Device >> Server Profiles >> Email
Select "Add".
In the "Email Server Profile" field, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information.
In the "Name" field, enter the name of the Email server.
In the "Email Display" Name field, enter the name shown in the "From" field of the email.
In the "From" field, enter the "From email address".
In the "To" field, enter the email address of the recipient.
In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.
In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.
Select "OK".

After you create the Server Profiles that define where to send your logs, you must enable log forwarding.
Threat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).

Configure the log-forwarding profile to select the logs to be forwarded to Email server.
Go to Objects >> Log forwarding
The "Log Forwarding Profile" window appears. Note that it has five columns.
In the "Name" Field, enter the name of the Log Forwarding Profile.
In the "Threat Settings Section" in the "Email" column, select the Email server profile for forwarding threat logs to the configured server(s).
Select "OK".

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
For Threat Logs, use the log forwarding profile in the security rules.
Go to Policies >> Security Rule
Select the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the "Profile column" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule.
In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Note that the "Log Forwarding" field can only have one profile.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62665 No Change
Findings ID: PANW-IP-000029 Rule ID: SV-77155r1_rule Severity: medium CCI: CCI-001247

Discussion

Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploitation by recently developed attack methods and programs. An automatic update process ensures this important task is performed without the need for SCA intervention.

The IDPS is a key malicious code protection mechanism in the enclave infrastructure. To ensure this protection is responsive to changes in malicious code threats, IDPS components must be automatically updated, including anti-virus signatures, detection heuristics, vendor-provided rules, and vendor-provided signatures.

If a DoD patch management server or update repository having the tested/verified updates is available for the device component, the components must be configured to automatically check this server/site for updates and install new updates.

If a DoD server/site is not available, the component must be configured to automatically check a trusted vendor site for updates. A trusted vendor is either commonly used by DoD, specifically approved by DoD, the vendor from which the equipment was purchased, or approved by the local program's CCB.

Checks

To verify that automatic updates are configured:
Go to Device >> Dynamic Updates

If no entries for "Applications and Threats" are present, this is a finding.

If the "Applications and Threats" entry states "Download Only", this is a finding.

Fix

Go to Device >> Dynamic Updates
Select "Check Now" at the bottom of the page to retrieve the latest signatures.
To schedule automatic signature updates.
Note: the steps provided below do not account for local change management policies.

Go to Device >> Dynamic Updates
Select the text to the right of "Schedule".
In the "Applications and Threat Updates Schedule" Window; complete the required information.
In the "Recurrence" field, select "Daily".
In the "Time" field, enter the time at which you want the device to check for updates.
For the "Action", select "Download and Install".
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62667 No Change
Findings ID: PANW-IP-000030 Rule ID: SV-77157r1_rule Severity: medium CCI: CCI-001312

Discussion

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messages can also provide host information and network topology that may be exploited by an attacker.

Three ICMP messages are commonly used by attackers for network mapping: Destination Unreachable, Redirect, and Address Mask Reply. These responses must be blocked on external interfaces; however, blocking the Destination Unreachable response will prevent Path Maximum Transmission Unit Discovery (PMTUD), which relies on the response "ICMP Destination Unreachable--Fragmentation Needed but DF Bit Set". PMTUD is a useful function and should only be "broken" after careful consideration.

An acceptable alternative to blocking all Destination Unreachable responses is to filter Destination Unreachable messages generated by the IDPS to allow ICMP Destination Unreachable-Fragmentation Needed but DF Bit Set (Type 3, Code 4) and apply this filter to the external interfaces.

Checks

Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding.

If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding.

Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding.

This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.

Fix

Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.

Create three custom Applications to identify ICMP Type 3, 5, and 18:
Go to Objects >> Applications
Select "Add".
In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields.
In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol.
In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18.
Use these three Application filters in a Security Policy.

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "internal".
For the "Source Address" field, select "any".
In the "Destination" tab, for the "Destination Address" field, select "any".
Note: The "Destination Zone" window will be grayed out (unable to enter parameters).

In the "Applications" tab, select the three application filters configured above.
In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62669 No Change
Findings ID: PANW-IP-000031 Rule ID: SV-77159r1_rule Severity: medium CCI: CCI-001312

Discussion

Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, ICMP can be misused to provide a covert channel. ICMP tunneling is when an attacker injects arbitrary data into an echo packet and sends to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. The creates a covert channel where an attacker can hide commands sent to a compromised host or a compromised host can exfiltrate data.

Checks

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.
Go to Policies >> Security
View the identified Security Policy.

If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding.
Note: the exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Fix

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "external".
For the "Source Address" field, select "any".
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields.
For the "Destination Zone" field, select the internal and DMZ zones.
Note: the exact number and name of zones is specific to the network.

For the "Destination Address" field, select "any".
In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute".
In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62671 No Change
Findings ID: PANW-IP-000032 Rule ID: SV-77161r1_rule Severity: medium CCI: CCI-002346

Discussion

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack databases may result in the compromise of information.

Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.

IDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.

Checks

Go to Objects >> Security Profiles >> Vulnerability Protection
If there are no Vulnerability Protection Profiles configured, this is a finding.

Ask the Administrator which Vulnerability Protection Profile is used to protect database assets by blocking and alerting on attacks.
View the configured Vulnerability Protection Profile; check the "Severity" and "Action" columns.

If the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding.

If the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding.

Ask the Administrator which Security Policy is used to protect database assets.
Go to Policies >> Security
View the configured Security Policy; view the "Profile" column.

If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding.

Moving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied.

If the specific Vulnerability Protection Profile is not listed, this is a finding.

Fix

Create and apply a Vulnerability Protection Profile to protect database assets by blocking and alerting on attacks. This profile has two rules; the first blocks critical, high, and medium threats, and the second alerts on low and informational threats.
Go to Objects >> Security Profiles >> Vulnerability Protection
Select "Add".
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Name" field, enter the name of the Vulnerability Protection Profile.
In the "Description" field, enter the description of the Vulnerability Protection Profile.
In the "Rules" tab, select "Add".
In the "Vulnerability Protection Rule" window,
In the "Rule Name" field, enter the Rule name,
In the "Threat Name" field, select "any",
In the "Action" field, select "block".
In the "Host type" field, select "server",
Select the checkboxes above the "CVE" and "Vendor ID" boxes.
In the "Severity" section, select the "critical", "high", and "medium" check boxes.
Select "OK".

In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK".
Add a second rule that alerts on low and informational threats.

Apply the Vulnerability Protection Profile to the Security Policy Rules permitting traffic to the databases.
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62673 No Change
Findings ID: PANW-IP-000033 Rule ID: SV-77163r1_rule Severity: medium CCI: CCI-002346

Discussion

Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack applications may result in the compromise of information.

Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.

IDPS component(s) with the capability to prevent code injections must be included in the IDPS implementation to protect against unauthorized data mining. These components must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses.

Checks

Go to Objects >> Security Profiles >> Vulnerability Protection

If there are no Vulnerability Protection Profiles configured, this is a finding.

Ask the Administrator which Vulnerability Protection Profile is used to protect application assets by blocking and alerting on attacks.
View the configured Vulnerability Protection Profile; check the "Severity" and "Action" columns.

If the Vulnerability Protection Profile used for database protection does not block all critical, high, and medium threats, this is a finding.

If the Vulnerability Protection Profile used for database protection does not alert on low and informational threats, this is a finding.

Ask the Administrator which Security Policy is used to protect application assets.
Go to Policies >> Security
View the configured Security Policy; view the "Profile" column.

If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding.

Moving the cursor over the symbol will list the exact Vulnerability Protection Profiles applied.

If the specific Vulnerability Protection Profile is not listed, this is a finding.

Fix

Set a unique hostname.
Go to Device >> Setup >> Management
In the "General Settings" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "General Settings" window, in the "hostname" field; enter a unique hostname.
V-62675 No Change
Findings ID: PANW-IP-000039 Rule ID: SV-77165r1_rule Severity: low CCI: CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.

This also prevents the log records from being lost if the logs stored locally are accidentally or intentionally deleted, altered, or corrupted.

Checks

To view a syslog server profile:
Go to Device >> Server Profiles >> Syslog

If there are no Syslog Server Profiles present, this is a finding.

Select each Syslog Server Profile; if no server is configured, this is a finding.

View the log-forwarding profile to determine which logs are forwarded to the syslog server.
Go to Objects >> Log forwarding

If no Log Forwarding Profile is present, this is a finding.

The "Log Forwarding Profile" window has five columns.

If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding.

If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding.

Go to Device >> Log Settings >> System Logs
The list of Severity levels is displayed.

If any of the Severity levels does not have a configured Syslog Profile, this is a finding.

Go to Device >> Log Settings >> Config Logs

If the "Syslog" field is blank, this is a finding.

Fix

To create a syslog server profile:
Go to Device >> Server Profiles >> Syslog
Select "Add".
In the Syslog Server Profile, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information.
Name: Name of the syslog server
Server: Server IP address where the logs will be forwarded to
Port: Default port 514
Facility: Select from the drop down list
Select "OK".

After you create the Server Profiles that define where to send your logs, you must enable log forwarding.
The way to enable forwarding depends on the log type:
Traffic Logs— Enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded.
Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding
The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s).
Select "OK".

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).
Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding.
The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s).
Select "OK".

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration.
Go to Device >> Log Settings >> System Logs
The list of severity levels is displayed.

Select a Server Profile for each severity level to forward.
Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear.
In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile.
Select "OK".

Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration.
Go to Device >> Log Settings >> Config Logs
Select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile.
Select "OK".

For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules.
Go to Policies >> Security Rule
Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.
Go to Actions >> Log forwarding
Select the log forwarding profile from drop-down list.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62677 No Change
Findings ID: PANW-IP-000041 Rule ID: SV-77167r1_rule Severity: medium CCI: CCI-002385

Discussion

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.

Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.

Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.

This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Checks

Go to Objects >> Security Profiles >> DoS Protection
If there are no DoS Protection Profiles configured, this is a finding.

Go to Policies >> DoS Protection
If there are no DoS Protection Policies, this is a finding.

There may be more than one configured DoS Protection Policy; ask the Administrator which DoS Protection Policy is intended to protect internal networks and DMZ networks from externally-originated DoS attacks.

If there is no such DoS Protection Policy, this is a finding.

If the DoS Protection Policy has no DoS Protection Profile, this is a finding.

Fix

Go to Objects >> Security Profiles >> DoS Protection
Select "Add" to create a new profile.
In the "DoS Protection Profile" window, complete the required fields.
For the "Type", select "Classified".
In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select "SYN Cookie".
In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Resources Protection" tab, select the "Maximum Concurrent Sessions" check box.
In the "Resources Protection" tab, complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied.
Select "OK".

Go to Policies >> DoS Protection
Select "Add" to create a new policy.
In the "DoS Rule" Window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, for "Zone", select the "Internal zone, for Source Address", select "Any".
In the "Destination" tab, "Zone", select "External zone, for Destination Address", select "Any".
In the "Option/Protection" tab,
For "Service", select "Any".
For "Action", select "Protect".
Select the "Classified" check box.
In the "Profile" field, select the configured DoS Protection profile for inbound traffic.
In the "Address" field, select "destination-ip-only".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62679 No Change
Findings ID: PANW-IP-000043 Rule ID: SV-77169r1_rule Severity: medium CCI: CCI-002385

Discussion

If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.

Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume, type, or protocol usage.

Detection components that use signatures can detect known attacks by using known attack signatures. Signatures are usually obtained from and updated by the IDPS component vendor. These attacks include SYN-flood, ICMP-flood, and Land Attacks.

This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Checks

Go to Objects >> Security Profiles >> Vulnerability Protection
If there are no Vulnerability Protection Profiles configured, this is a finding.

Ask the Administrator which Vulnerability Protection Profile is used for interzone traffic.
View the configured Vulnerability Protection Profiles; check the "Severity" and "Action" columns.
If the Vulnerability Protection Profile used for interzone traffic does not block all critical, high, and medium threats, this is a finding.

Go to Policies >> Security
Review each of the configured security policies in turn.
For any Security Policy that affects traffic between Zones (interzone), view the Profile column. If the Profile column does not display the Vulnerability Protection Profile symbol, this is a finding.

Fix

To create a Vulnerability Protection Profile:
Go to Objects >> Security Profiles >> Vulnerability Protection
Select "Add".
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Name" field, enter the name of the Vulnerability Protection Profile.
In the "Description" field, enter the description of the Vulnerability Protection Profile.
In the "Rules" tab, select "Add".
In the "Vulnerability Protection Rule" window,
In the "Rule Name" field, enter the Rule name,
In the "Threat Name" field, select "any",
In the "Action" field, select "block".
In the "Host type" field, select "any",
Select the checkboxes above the "CVE" and "Vendor ID" boxes.
In the "Severity" section, select the "critical", "high", and "medium" check boxes.
Select "OK".

In the "Vulnerability Protection Profile" window, select the configured rule, then select "OK".
Use the Profile in a Security Policy;
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62681 No Change
Findings ID: PANW-IP-000045 Rule ID: SV-77171r1_rule Severity: medium CCI: CCI-002656

Discussion

An integrated, network-wide intrusion detection capability increases the ability to detect and prevent sophisticated distributed attacks based on access patterns and characteristics of access.

Integration is more than centralized logging and a centralized management console. The enclave's monitoring capability may include multiple sensors, IPS, sensor event databases, behavior-based monitoring devices, application-level content inspection systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Some tools may monitor external traffic while others monitor internal traffic at key boundaries.

These capabilities may be implemented using different devices and therefore can have different security policies and severity-level schema. This is valuable because content filtering, monitoring, and prevention can become a bottleneck on the network if not carefully configured.

Checks

Go to Device >> Server Profiles >> NetFlow
If no NetFlow Server Profiles are configured, this is a finding.

This step assumes that it is an Ethernet interface that is being monitored. The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Ask the Administrator which interface is being monitored; there may be more than one.
Go to Network >> Interfaces >> Ethernet
Select the interface that is being monitored.
If the "NetFlow Profile" field is "None", this is a finding.

Fix

To create a NetFlow Server Profile:
Go to Device >> Server Profiles >> NetFlow
Select Add.
In the "NetFlow Server Profile" window, complete the required fields.
In the "Name" field, enter the name of the NetFlow Server Profile.
In the "Minutes" field, enter the number of minutes after which the NetFlow template is refreshed.
In the "Packets" field, enter the number of packets after which the NetFlow template is refreshed.
In the "Active Timeout" field, enter the frequency (in minutes) the device exports records.
Select the "PAN-OS Field Types" check box to export "App-ID" and "User-ID" fields.
Select "Add" to add a NetFlow collector.
In the "Name" field, enter the name of the server.
In the "NetFlow Server" field, enter the hostname or IP address of the server.
In the "Port" field enter the port used by the NetFlow collector (default 2055).
Select "OK".

Assign the NetFlow server profile to the interfaces that carry the traffic to be analyzed. These steps assume that it is one of the Ethernet interfaces. The configuration is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.
Go to Network >> Interfaces >> Ethernet
Select the interface that the traffic traverses.
In the "Ethernet Interface" window, in the "NetFlow Profile" field, select the configured NetFlow Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62683 No Change
Findings ID: PANW-IP-000046 Rule ID: SV-77173r1_rule Severity: medium CCI: CCI-002683

Discussion

Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

Examples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing.

To comply with this requirement, the IDPS may be configured to detect services either directly or indirectly (i.e., by detecting traffic associated with a service).

Checks

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic.

If there is no list of unauthorized network services, this is a finding.

If there are no configured security policies that specifically match the list of unauthorized network services, this is a finding.

If the security policies do not deny the traffic associated with the unauthorized network services, this is a finding.

Fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic.

To create or edit a Security Policy:
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62685 No Change
Findings ID: PANW-IP-000047 Rule ID: SV-77175r1_rule Severity: medium CCI: CCI-002684

Discussion

Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

Examples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing.

Checks

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic.

To verify if a Security Policy logs denied traffic:
Go to Policies >> Security
Select the name of the security policy to view it.

In the "Actions" tab, in the "Log Setting" section, if neither the "Log at Session Start" nor the "Log at Session End" check boxes are checked, this is a finding.

Fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that denies traffic associated with it and logs the denied traffic.

To configure a Security Policy to log denied traffic:
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
In the "Actions" tab, select the Log forwarding profile and select "Log at Session End".
"Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
V-62687 No Change
Findings ID: PANW-IP-000048 Rule ID: SV-77177r1_rule Severity: medium CCI: CCI-002684

Discussion

Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

Automated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites).

The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, view the security policies that denies traffic associated with it and logs the denied traffic.
Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).

View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.

View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
View the Security Policies that are used to block unauthorized network services.
Go to Policies >> Security
Select the name of the security policy to view it.
In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile.

If there is no Log Forwarding Profile, this is a finding.

Fix

Obtain the list of network services that have not been authorized or approved by the ISSM and ISSO. For each prohibited network service, configure a security policy that generates an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected.
Configure a Server Profile for use with Log Forwarding Profile(s); if email is used, the ISSO and ISSM must be recipients.

To create an email server profile:
Go to Device >> Server Profiles >> Email
Select "Add".
In the Email Server Profile, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information:
In the "Name" field, enter the name of the Email server
In the "Email Display Name" field, enter the name shown in the "From" field of the email.
In the "From" field, enter the From email address.
In the "To" field, enter the email address of the recipient.
In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.
In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.
Select "OK".

Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
In the "Actions" tab, select the Log forwarding profile and select "Log at Session End".
"Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
V-62689 No Change
Findings ID: PANW-IP-000049 Rule ID: SV-77179r1_rule Severity: medium CCI: CCI-002661

Discussion

If inbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.

Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring.

Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.

Checks

Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform.
The specific security policy is based on the authorized endpoints, applications, and protocols.

If it does not filter traffic passing between zones, this is a finding.

Fix

The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols.

To create or edit a Security Policy:
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62691 No Change
Findings ID: PANW-IP-000050 Rule ID: SV-77181r1_rule Severity: medium CCI: CCI-002662

Discussion

If outbound communications traffic is not continuously monitored for unusual/unauthorized activities or conditions, there will be times when hostile activity may not be noticed and defended against.

Although some of the components in the site's content scanning solution may be used for periodic scanning assessment, the IDPS sensors and other components must provide continuous, 24 hours a day, 7 days a week monitoring.

Unusual/unauthorized activities or conditions related to information system outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, use of unusual protocols and ports, and communications with suspected or known malicious external entities.

Checks

Obtain the network architecture diagrams and identify where traffic crosses from one internal zone to another and review the configuration of the Palo Alto Networks security platform.

If it does not filter traffic passing between zones, this is a finding.

Fix

The network architecture diagrams must identify where traffic crosses from one internal zone to another. The specific security policy is based on the authorized endpoints, applications, and protocols.

To create or edit a Security Policy:
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62693 No Change
Findings ID: PANW-IP-000051 Rule ID: SV-77183r1_rule Severity: medium CCI: CCI-002664

Discussion

Without an alert, security personnel may be unaware of intrusion detection incidents that require immediate action and this delay may result in the loss or compromise of information.

An Intrusion Detection and Prevention System must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel. For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.

Checks

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).
View the configured Server Profile.

If there is no Server Profile for the method explained, this is a finding.

View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
View the Security Policies that are used to block unauthorized network services.
Go to Policies >> Security
Select the name of the security policy to view it.
In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile.

If there is no Log Forwarding Profile, this is a finding.

Fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients.

To create an email server profile:
Go to Device >> Server Profiles >> Email
Select "Add".
In the Email Server Profile, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information.
In the "Name" field, enter the name of the Email server.
In the "Email Display" Name field, enter the name shown in the "From" field of the email.
In the "From" field, enter the From email address.
In the "To" field, enter the email address of the recipient.
In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.
In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.
Select "OK".

Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding.
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
In the "Actions" tab, select the Log forwarding profile and select "Log at Session End".
"Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
V-62695 No Change
Findings ID: PANW-IP-000052 Rule ID: SV-77185r1_rule Severity: medium CCI: CCI-002664

Discussion

Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded.

Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The IDPS must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Each Security Policy created in response to an IAVM or CTO must log violations of that particular Security Policy. For each violation of a security policy, an alert to, at a minimum, the ISSO and ISSM, must be sent.

Checks

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).
View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.
View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
View the Security Policies that are used to enforce policies issued by authoritative sources.
Go to Policies >> Security
Select the name of the security policy to view it.
In the "Actions" tab, in the "Log Setting" section, view the Log Forwarding Profile. If there is no Log Forwarding Profile, this is a finding.

Fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients.

To create an email server profile:
Go to Device >> Server Profiles >> Email
Select "Add".
In the Email Server Profile, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information:
In the "Name" field, enter the name of the Email server.
In the "Email Display Name" field, enter the name shown in the "From" field of the email.
In the "From" field, enter the From email address.
In the "To" field, enter the email address of the recipient.
In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.
In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.
Select "OK".

Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding.
Go to Policies >> Security
Select "Add" to create a new security policy or select the name of the security policy to edit it.
Configure the specific parameters of the policy by completing the required information in the fields of each tab.
In the "Actions" tab, select the Log forwarding profile and select "Log at Session End".
"Log at Session Start" may be selected under specific circumstances, but "Log at Session End" is preferred.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
V-62697 No Change
Findings ID: PANW-IP-000053 Rule ID: SV-77187r1_rule Severity: medium CCI: CCI-002664

Discussion

Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.

CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.

Alert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.

Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).

View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.

View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
View the Security Policies that are used to filter traffic into the Internal or DMZ zones.

If the "Profile" column does not display the Antivirus Profile symbol, this is a finding.

If the "Profile" column does not display the Vulnerability Protection Profile symbol, this is a finding.

If the "Profile" column does not display the Anti-spyware symbol, this is a finding.

If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.

Fix

This requires the use of an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile.

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients.
Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding.
Configure an Antivirus Profile, an Anti-spyware Profile, and a Vulnerability Protection Profile in turn.
Note: A custom Anti-spyware Profile or the Strict Anti-spyware Profile must be used instead of the Default Anti-spyware Profile. The selected Anti-spyware Profile must use the block action at the critical, high, and medium severity threat levels.

Use the Antivirus Profile, Anti-spyware Profile, and the Vulnerability Protection Profile in a Security Policy that filters traffic to Internal and DMZ zones:
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile.
In the "Actions" tab in the "Profile Setting" section; in the "Anti-spyware" field, select the configured or "Strict Anti-spyware" Profile.
In the "Actions" tab in the "Profile Setting" section; in the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
In the "Actions" tab in the "Log Setting" section, select "Log At Session End". This generates a traffic log entry for the end of a session and logs drop and deny entries.
In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62699 No Change
Findings ID: PANW-IP-000055 Rule ID: SV-77189r1_rule Severity: medium CCI: CCI-002664

Discussion

Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.

CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.

Alert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.

Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).

View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.

View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
Go to Policies >> DoS Protection
If there are no DoS Protection Policies, this is a finding.

There may be more than one configured DoS Protection Policy.
If there is no such DoS Protection Policy, this is a finding.

In the "Log Forwarding" field, if there is no configured Log Forwarding Profile, this is a finding.

Fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients.
Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding.
Go to Policies >> DoS Protection
Select "Add" to create a new policy or select the Name of the Policy to edit it.
In the "DoS Rule" window, complete the required fields.
In the "Option/Protection" tab, in the "Log Forwarding" field, select the configured Log Forwarding Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62701 No Change
Findings ID: PANW-IP-000056 Rule ID: SV-77191r1_rule Severity: medium CCI: CCI-002664

Discussion

Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss or compromise of information.

CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DoD has determined that categories identified by CJCSM 6510.01B Major Indicators (category I, II, IV, and VII detection events) will require an alert when an event is detected.

Alert messages must include a severity level indicator or code as an indicator of the criticality of the incident. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.

Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The Palo Alto Networks security platform must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.

Checks

Ask the Administrator how the ISSO and ISSM are receiving alerts (E-mail, SNMP Trap, or Syslog).
View the configured Server Profile; if there is no Server Profile for the method explained, this is a finding.

View the Log Forwarding Profiles; this is under Objects >> Log Forwarding. Determine which Server Profile is associated with each Log Forwarding Profile.
View the Security Policies that are used to filter traffic between zones or subnets.
If the "Profile" column does not display the Antivirus Profile symbol, this is a finding.

If the "Options" column does not display the Log Forwarding Profile symbol, this is a finding.

Fix

Configure a Server Profile for use with Log Forwarding Profile(s); If email is used, the ISSO and ISSM must be recipients.
Configure a Log Forwarding Profile; this is under Objects >> Log Forwarding.
Go to Objects >> Security Profiles >> Antivirus
Select "Add" to create a new Antivirus Profile or select the name of the profile to edit it.

Use the Antivirus Profile in a Security Policy.
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions" tab in the "Profile Setting" section; in the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Actions" tab in the "Profile Setting" section; in the "Antivirus" field, select the configured Antivirus Profile.
Select "OK".
In the "Actions" tab in the "Log Setting" section, select "Log At Session End".
In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
V-62703 No Change
Findings ID: PANW-IP-000058 Rule ID: SV-77193r1_rule Severity: low CCI: CCI-001851

Discussion

Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.

Off-loading is a common process in information systems with limited audit storage capacity. The audit storage on the device is used only in a transitory fashion until the system can communicate with the centralized log server designated for storing the audit records, at which point the information is transferred. However, DoD requires that the log be transferred in real-time which indicates that the time from event detection to off-loading is seconds or less.

This does not apply to audit logs generated on behalf of the device itself (management).

Checks

To view a syslog server profile:
Go to Device >> Server Profiles >> Syslog
If there are no Syslog Server Profiles present, this is a finding.

Select each Syslog Server Profile; if no server is configured, this is a finding.

View the log-forwarding profile to determine which logs are forwarded to the syslog server.
Go to Objects >> Log forwarding
If no Log Forwarding Profile is present, this is a finding.

The Log Forwarding Profile window has five columns. If there are no Syslog Server Profiles present in the "Syslog" column for the Traffic Log Type, this is a finding.

If there are no Syslog Server Profiles present for each of the severity levels of the Threat Log Type, this is a finding.

Go to Device >> Log Settings >> System Logs
The list of Severity levels is displayed.
If any of the Severity levels does not have a configured Syslog Profile, this is a finding.

Go to Device >> Log Settings >> Config Logs.
If the "Syslog" field is blank, this is a finding.

Fix

To create a syslog server profile:
Go to Device >> Server Profiles >> Syslog
Select "Add".
In the Syslog Server Profile, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information.
Name: Name of the syslog server
Server: Server IP address where the logs will be forwarded to
Port: Default port 514
Facility: Select from the drop-down list.
Select "OK.

After you create the Server Profiles that define where to send your logs, you must enable log forwarding.
The way you enable forwarding depends on the log type:
Traffic Logs—You enable forwarding of Traffic logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) and adding it to the security policies you want to trigger the log forwarding. Only traffic that matches a specific rule within the security policy will be logged and forwarded.
Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding.
The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s).
Select "OK.

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
Threat Logs—You enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).
Configure the log-forwarding profile to select the logs to be forwarded to syslog server.
Go to Objects >> Log forwarding
The "Log Forwarding Profile" window appears. Note that it has five columns. In the "Syslog" column, select the syslog server profile for forwarding threat logs to the configured server(s).
Select "OK".

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
System Logs—You enable forwarding of System logs by specifying a Server Profile in the log settings configuration.
Go to Device >> Log Settings >> System Logs
The list of severity levels is displayed.
You must select a Server Profile for each severity level you want to forward.
Select each severity level in turn; with each selection, the "Log Systems - Setting" window will appear.
In the "Log Systems - Setting" window, in the "Syslog" drop-down box, select the configured Server Profile.
Select "OK.

Config Logs—You enable forwarding of Config logs by specifying a Server Profile in the log settings configuration.
Go to Device >> Log Settings >> Config Logs
Select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "Log Settings Config" window, in the "Syslog" drop-down box, select the configured Server Profile.
Select "OK.

For Traffic Logs and Threat Logs, use the log forwarding profile in the security rules.
Go to Policies >> Security Rule
Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.
Go to Actions >> Log forwarding
Select the log forwarding profile from drop-down list.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.