STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must be configured to integrate with a system-wide intrusion detection system.

DISA Rule

SV-228864r557387_rule

Vulnerability Number

V-228864

Group Title

SRG-NET-000383-ALG-000135

Rule Version

PANW-AG-000111

Severity

CAT III

CCI(s)

• CCI-002656 - The organization configures individual intrusion detection tools into an information system-wide intrusion detection system.

Weight

10

Fix Recommendation

To create a NetFlow Server Profile:
Go to Device >> Server Profiles >> NetFlow
Select "Add".
In the "NetFlow Server Profile" window, complete the required fields.
In the "Name" field, enter the name of the NetFlow Server Profile.
In the "Minutes" field, enter the number of minutes after which the NetFlow template is refreshed.
In the "Packets" field, enter the number of packets after which the NetFlow template is refreshed.
In the "Active Timeout" field, enter the frequency (in minutes) the device exports records.
Select the "PAN-OS Field Types" check box to export "App-ID" and "User-ID" fields.
Select "Add" to add a NetFlow collector.
In the "Name" field, enter the name of the server.
In the "NetFlow Server" field, enter the hostname or IP address of the server.
In the "Port" field enter the port used by the NetFlow collector (default 2055).
Select "OK".

Assign the NetFlow server profile to the interfaces that carry the traffic to be analyzed. These steps assume that it is one of the Ethernet interfaces. The configuration is the same for Ethernet, VLAN, Loopback, and Tunnel interfaces.
Go to Network >> Interfaces >> Ethernet
Select the interface that the traffic traverses.
In the "Ethernet Interface" window, in the "Netflow Profile" field, select the configured Netflow Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.

Check Contents

Go to Device >> Server Profiles >> NetFlow
If no NetFlow Server Profiles are configured, this is a finding.

This step assumes that it is one of the Ethernet interfaces that is being monitored.
The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.
Ask the administrator which interface is being monitored; there may be more than one.
Go to Network >> Interfaces >> Ethernet
Select the interface that is being monitored.
If the "Netflow Profile" field is "None", this is a finding.

Vulnerability Number

V-228864

Documentable

False

Rule Version

PANW-AG-000111

Severity Override Guidance

Go to Device >> Server Profiles >> NetFlow
If no NetFlow Server Profiles are configured, this is a finding.

This step assumes that it is one of the Ethernet interfaces that is being monitored.
The verification is the same for Ethernet, VLAN, Loopback and Tunnel interfaces.
Ask the administrator which interface is being monitored; there may be more than one.
Go to Network >> Interfaces >> Ethernet
Select the interface that is being monitored.
If the "Netflow Profile" field is "None", this is a finding.

Check Content Reference

M

Target Key

4233

Comments