The Center for Internet Security (CIS) is a non-profit organization that works with security experts to develop a set of best practice security standards designed to harden operating systems and applications. Organizations are adopting these best practices to improve their security and compliance programs and posture. To help organizations maintain all necessary security controls to keep their environment safe, we have implemented a subset of the CIS benchmarks for Palo Alto Firewall 9.x.
This blog post reviews the rules we have implemented by following the same structure as the CIS Palo Alto firewall benchmark document.
CIS Palo Alto Firewall Benchmark Rules
1. Device Setup
The Device Setup section of the CIS Palo Alto firewall benchmark covers requirements from several areas. We have coverage for logging, login banners, management interface settings, password requirements, authentication, and device services settings. For some services such as logging, we go beyond just ensuring that the service is configured. We continuously monitor the availability of the service to ensure that there is no loss of log data.
|General||1.1.1||Syslog logging should be configured|
|Settings||1.1.2||Ensure ‘Login Banner” is set|
|1.1.3||Ensure “Enable Log on High DP Load’ is enabled|
|Management Interface||1.2.1||Ensure ‘Permitted IP Address’ is set to those necessary for device management|
|1.2.2||Ensure “permitted IP Addresses’ is set for all mgt profiles where SSH, HTTPS, or SNMP is enabled|
|1.2.3||Ensure HTTP and Telnet options are disabled for the management interface|
|Minimum||1.3.1||Ensure ‘Minimum Password Complexity’ is on|
|Password||1.3.2||Ensure ‘Minimum Length’ is >= 12|
|Requirements||1.3.3||Ensure ‘Minimum Uppercase Letters’ is >= 1|
|1.3.4||Ensure ‘Minimum Lowercase Letters’ is >= 1|
|1.3.5||Ensure ‘Minimum Numeric Letters’ is >= 1|
|1.3.6||Ensure ‘Minimum Special Characters’ is >= 1|
|1.3.7||Ensure ‘Required Password Change Period’ is <= 90 days|
|1.3.8||Ensure ‘New Password Differs by Characters’ is >= 3|
|1.3.9||Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords|
|Authentication Settings||1.4.2||Ensure ‘Failed Attempts’ and ‘Lockout Time’ for Authentication Profile are properly configured|
|Device Services Settings||1.6.2||Ensure redundant NTP servers are configured appropriately|
|1.6.3||Ensure that the Certificate Securing Remote Access VPNs is valid|
2. User Identification
The User Identification section covers requirements for IP address mapping and User-ID functionality. Mapping user-ids to IP addresses enables the Palo Alto firewall to create rules based on user-ids and groups rather than IP addresses and subnets, as well as log events by user-ids rather than IP addresses or DNS names.
- 2.2 Ensure that WMI probing is disabled.
- 2.3 Ensure that User-ID is only enabled for internal trusted interfaces.
- 2.4 Ensure that ‘Include/Exclude Networks’ is used if User-ID is enabled.
- 2.8 Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones.
3. High Availability
This is a primary use case for Indeni, so we have coverage for all the High Availability peer synchronization and monitoring requirements. You can read more about our High Availability Auto-Detect Elements in this blog post. To ensure high availability of Palo Alto firewalls, we:
- 3.1 Ensure a fully-synchronized High Availability peer is configured.
- 3.2 Ensure ‘High Availability’ requires Link Monitoring and/or Path Monitoring.
- 3.3 Ensure ‘Passive Link state’ and ‘Preemptive’ are configured appropriately.
4. Dynamic Updates
It is important to ensure that antivirus, applications and threats updates are frequently updated for Palo Alto firewalls. In addition, we take an extra step to ensure that Palo Alto firewall installs are successful.
- 4.1 Ensure ‘Antivirus Update Schedule’ is set to download and install updates hourly.
- 4.2 Ensure ‘Applications and Threats Update Schedule’ is set to download and install updates at daily or shorter intervals.
WildFire detects and blocks targeted and unknown malware, exploits and outbound command and control activity by observing malicious behavior in real time, rather than using pre-existing signatures. WildFire content update has the latest threat intelligence from cloud sandboxing set to all the firewalls that have the wildfire subscription. With quick updates, we can protect the networks within minutes before the threat spreads widely.
- 5.7 Ensure ‘WildFire Update Schedule’ is set to download and install updates every minute.
6. Security Profiles
The Security Profiles section covers requirements for several types of profiles, including antivirus, anti-spyware and Vulnerability Protection Profiles.
- 6.1 Ensure that antivirus profiles are set to block on all decoders except ‘imap’ and ‘pop3’.
- 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats.
- 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use.
- 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities.
7. Security Policies
The Security Policies section covers requirements for application and service security policies. The recommendation is to only allow specific services through the network.
- 7.1 Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone.
- 7.2 Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not exist.
To retrieve the list of the CIS rules for Palo Alto firewalls, go to Knowledge Explorer, set the filter to Category, select CenterForInternetSecurity. You can also leverage the remediation steps to help you stay conformance.