STIGQter: STIG Summary: Palo Alto Networks NDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jan 2020: STIGQter: STIG Summary: Palo Alto Networks NDM Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jan 2020:SV-77207r1_rule
V-62717
SRG-APP-000142-NDM-000245
PANW-NM-000046
CAT II
10
Go to Device >> Setup >> Services
In the "Services" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
Note: DNS can be either "Server" or "Proxy"; both are allowed unless local policy declares otherwise.
Note: The Palo Alto Networks security platform cannot be a DNS server, only a client or proxy.
NTP is a necessary service.
Note: The Palo Alto Networks security platform cannot be an NTP server, only a client.
Go to Device >> Setup >> Management
In the "Management Interface Settings" window, select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "Management Interface Settings" window, select HTTP OCSP, HTTPS, SSH, SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP if these protocols will be used.
Select "OK".
Note: SNMP Versions 1 and 2 are not considered secure; use SNMP Version 3.
Device >> Setup >> Operations tab>> Miscellaneous
Select SNMP Setup.
In the "SNMP Setup" window, select V3.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
Go to Device >> Setup >> Services
In the "Services" window, view which services are configured.
Note: DNS can be either "Server" or "Proxy"; both are allowed unless local policy declares otherwise.
Note: The Palo Alto Networks security platform cannot be a DNS server, only a client or proxy.
NTP is a necessary service.
Note: The Palo Alto Networks security platform cannot be an NTP server, only a client.
Go to Device >> Setup >> Management
In the "Management Interface Settings" window, view the enabled services.
Note: Which management services are enabled. HTTPS, SSH, ping, and SNMP, are normally allowed.
If User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP, or HTTP OCSP is present, verify with the ISSO that this has been authorized.
Go to Device >> Setup >> Operations tab>> Miscellaneous
Select SNMP Setup.
In the "SNMP Setup" window, check if SNMP V3 is selected.
If unauthorized services are configured, this is a finding.
V-62717
False
PANW-NM-000046
Go to Device >> Setup >> Services
In the "Services" window, view which services are configured.
Note: DNS can be either "Server" or "Proxy"; both are allowed unless local policy declares otherwise.
Note: The Palo Alto Networks security platform cannot be a DNS server, only a client or proxy.
NTP is a necessary service.
Note: The Palo Alto Networks security platform cannot be an NTP server, only a client.
Go to Device >> Setup >> Management
In the "Management Interface Settings" window, view the enabled services.
Note: Which management services are enabled. HTTPS, SSH, ping, and SNMP, are normally allowed.
If User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP, or HTTP OCSP is present, verify with the ISSO that this has been authorized.
Go to Device >> Setup >> Operations tab>> Miscellaneous
Select SNMP Setup.
In the "SNMP Setup" window, check if SNMP V3 is selected.
If unauthorized services are configured, this is a finding.
M
2811