STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must have a DoS Protection Profile for outbound traffic applied to a policy for traffic originating from the internal zone going to the external zone.

DISA Rule

SV-207692r557390_rule

Vulnerability Number

V-207692

Group Title

SRG-NET-000192-IDPS-00140

Rule Version

PANW-IP-000018

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Go to Objects >> Security Profiles >> DoS Protection
Select "Add" to create a new profile.
In the "DoS Protection Profile" window, complete the required fields.
For the Type, select "Classified".
In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select either "Random Early Drop" (preferred in this case) or "SYN Cookie".
In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields.
In the "Resources Protection" tab, leave the "Maximum Concurrent Sessions" check box unselected.
Select "OK".

Go to Policies >> DoS Protection
Select "Add" to create a new policy.
In the "DoS Rule" Window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, for "Zone", select the "Internal zone", for "Source Address", select "Any".
In the "Destination" tab, "Zone", select "External zone", for "Destination Address", select "Any".
In the "Option/Protection" tab:
For "Service", select "Any".
For "Action", select "Protect".
Select the "Classified" check box.
In the "Profile" field, select the configured DoS Protection profile for outbound traffic.
In the "Address field", select "source-ip-only".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Check Contents

Go to Objects >> Security Profiles >> DoS Protection
If there are no DoS Protection Profiles configured, this is a finding.

There may be more than one configured DoS Protection Profile; ask the Administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks.
If there is no such DoS Protection Profile, this is a finding.

Vulnerability Number

V-207692

Documentable

False

Rule Version

PANW-IP-000018

Severity Override Guidance

Go to Objects >> Security Profiles >> DoS Protection
If there are no DoS Protection Profiles configured, this is a finding.

There may be more than one configured DoS Protection Profile; ask the Administrator which DoS Protection Profile is intended to protect outside networks from internally-originated DoS attacks.
If there is no such DoS Protection Profile, this is a finding.

Check Content Reference

M

Target Key

2927

Comments