STIGQter STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

Palo Alto Networks security platform components, including sensors, event databases, and management consoles must integrate with a network-wide monitoring capability.

DISA Rule

SV-207705r557390_rule

Vulnerability Number

V-207705

Group Title

SRG-NET-000383-IDPS-00208

Rule Version

PANW-IP-000045

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To create a NetFlow Server Profile:
Go to Device >> Server Profiles >> NetFlow
Select Add.
In the "NetFlow Server Profile" window, complete the required fields.
In the "Name" field, enter the name of the NetFlow Server Profile.
In the "Minutes" field, enter the number of minutes after which the NetFlow template is refreshed.
In the "Packets" field, enter the number of packets after which the NetFlow template is refreshed.
In the "Active Timeout" field, enter the frequency (in minutes) the device exports records.
Select the "PAN-OS Field Types" check box to export "App-ID" and "User-ID" fields.
Select "Add" to add a NetFlow collector.
In the "Name" field, enter the name of the server.
In the "NetFlow Server" field, enter the hostname or IP address of the server.
In the "Port" field enter the port used by the NetFlow collector (default 2055).
Select "OK".

Assign the NetFlow server profile to the interfaces that carry the traffic to be analyzed. These steps assume that it is one of the Ethernet interfaces. The configuration is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.
Go to Network >> Interfaces >> Ethernet
Select the interface that the traffic traverses.
In the "Ethernet Interface" window, in the "NetFlow Profile" field, select the configured NetFlow Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Check Contents

Go to Device >> Server Profiles >> NetFlow
If no NetFlow Server Profiles are configured, this is a finding.

This step assumes that it is an Ethernet interface that is being monitored. The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Ask the Administrator which interface is being monitored; there may be more than one.
Go to Network >> Interfaces >> Ethernet
Select the interface that is being monitored.
If the "NetFlow Profile" field is "None", this is a finding.

Vulnerability Number

V-207705

Documentable

False

Rule Version

PANW-IP-000045

Severity Override Guidance

Go to Device >> Server Profiles >> NetFlow
If no NetFlow Server Profiles are configured, this is a finding.

This step assumes that it is an Ethernet interface that is being monitored. The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces. Ask the Administrator which interface is being monitored; there may be more than one.
Go to Network >> Interfaces >> Ethernet
Select the interface that is being monitored.
If the "NetFlow Profile" field is "None", this is a finding.

Check Content Reference

M

Target Key

2927

Comments