STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

DISA Rule

SV-228845r557387_rule

Vulnerability Number

V-228845

Group Title

SRG-NET-000202-ALG-000124

Rule Version

PANW-AG-000051

Severity

CAT II

CCI(s)

• CCI-001109 - The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Weight

10

Fix Recommendation

Do not configure any policies or rules that violate a deny-all, permit-by-exception policy.
Configure policies that allow traffic through the device based only on the mission and system requirements.

Check Contents

Go to Policies >> Security
Review each of the configured security policies in turn.
Select each policy in turn; in the "Security Policy Rule" window, if the "Source Address" has "Any" selected, the "Destination Address" has "Any" selected, the "Application" has "Any" selected, and the "Action" Setting is "Allow", this is a finding.

If any Security Policy is too broad (allowing all traffic either inbound or outbound), this is also a finding.

Vulnerability Number

V-228845

Documentable

False

Rule Version

PANW-AG-000051

Severity Override Guidance

Go to Policies >> Security
Review each of the configured security policies in turn.
Select each policy in turn; in the "Security Policy Rule" window, if the "Source Address" has "Any" selected, the "Destination Address" has "Any" selected, the "Application" has "Any" selected, and the "Action" Setting is "Allow", this is a finding.

If any Security Policy is too broad (allowing all traffic either inbound or outbound), this is also a finding.

Check Content Reference

M

Target Key

4233

Comments