PAN Best Practices
- Check if anti-spyware actions for threat signatures for low and informational severity is following best practices.
- Check if global protect update recurrence is set to hourly.
- Warn if captive portal SSL/TLS service profile is using TLS less than 1.2.
- Check if the update schedule for Application and Threats are following best practices.
- Warn if decryption profile min version is not set to TLSv1.2 and max versions is not set to “Max”(Decryption profile).
- Warn if LDAP communication is insecure. “Require SSL/TLS secured connection” is enabled for LDAP.
- Check if all anti-spyware profiles have dns sink-holing enabled
- Check failed login attempts is not set to 0(default) or greater than 5. It is best practice to to set the maximum failed attempts to no more than 5.
- Check if AV update recurrence is set to hourly and update action is set to download-and-install
BlueCoat Proxy SG
- Added Hardware EOL and Software EOS notification
- Identify if device has high uptime. Very long uptime may be a sign that the device has not been upgraded in awhile.
- Identify if certificate in use for SSL is due to expire soon
- Compliance check: Ensure core dumping is enabled
IKP-1564 Hardware EOL and Software EOS notification
IKP-2281 Identify if device has high uptime
IKP-2282 Identify if certificate in use for SSL is due to expire soon
IKP-1397 Compliance check: Core dumping enabled
IKP-2259 Best Practice: anti-spyware threat signatures for low and informational severity
IKP-2251 Best Practice: Ensure global protect update recurrence is set to hourly
IKP-2252 Best Practice: Ensure captive Pportal SSL/TLS service profile min version is set to TLSv1.2
IKP-2254 Best Practice: Ensure apps and threats are rightly configured for content updated
IKP-2255 Best Practice: Ensure min version is to TLSv1.2 and max versions is set to “Max”(Decryption profile)
IKP-2262 Best Practice: Ensure “Require SSL/TLS secured connection” is enabled for LDAP
IKP-2256 Best Practice: Check all anti-spyware profiles have dns sink-holing enabled
IKP-2257 Best Practice: Ensure failed attempts is set to a value lower than or equal to 5
IKP-2258 Best Practice: Ensure AV update recurrence is set to hourly and update action is set to download-and-install
Knowledge Bug Fixes/Improvements
IKP-2448 Fixed cpstat-mg-mds.ind. Removed from exclude list
IKP-2117 Fixed Static routing table does not match across cluster
IKP-2114 Fixed Critical process(es) “down” triggering on “unknown” processes
IKP-1641 Fixed Critical configuration files mismatch across cluster members
IKP-1748 Fixed cphaprob_list/cphaprob_list-vsx issues not resolving in a timely fashion
IKP-2209 Improved performance of fw-ctl-pstat-vsx ind script
IKP-1786 Fixed FP for chkp-fw-ctl-affinity-l-m for Gaia R77.30 and R80.20
IKP-2402 Fixed chkp-cphaprob_state_monitor vsx/novsx failling when the cluster IP has the maximum about of digits
IKP-2090 Fixed FP due to CMA “Active status: standby”
IKP-2241 Improved performance on show-interfaces-all-vsx.ind, policy-fingerprint-vsx.ind, fw-tab-stats-vsx.ind
IKP-2247 Fixed process-state utilizing incorrect tag value, preventing issue from triggering
IKP-2275 Fixed backup output should be in XML
IKP-2416 Fixed failed to parse results of command panos-show-neighbor-all
IKP-2337 Fixed os.version hard coded in interrogation script