STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must block traceroutes and ICMP probes originating from untrusted networks (e.g., ISP and other non-DoD networks).

DISA Rule

SV-228875r557387_rule

Vulnerability Number

V-228875

Group Title

SRG-NET-000402-ALG-000130

Rule Version

PANW-AG-000127

Severity

CAT II

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

Although the default inter-zone Security Policy will deny this traffic, a specific Security Policy should be used.

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "external".
For the "Source Address" field, select "any".
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields.
For the "Destination Zone" field, select the internal and DMZ zones. Note: The exact number and name of zones are specific to the network.
For the "Destination Address" field, select "any".
In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute".
In the "Actions tab", select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.

Check Contents

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.

Go to Policies >> Security
View the identified Security Policy.

If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not any, this is a finding.

Note: The exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Vulnerability Number

V-228875

Documentable

False

Rule Version

PANW-AG-000127

Severity Override Guidance

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.

Go to Policies >> Security
View the identified Security Policy.

If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not any, this is a finding.

Note: The exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Check Content Reference

M

Target Key

4233

Comments