STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.

DISA Rule

SV-207690r559743_rule

Vulnerability Number

V-207690

Group Title

SRG-NET-000078-IDPS-00063

Rule Version

PANW-IP-000008

Severity

CAT II

CCI(s)

CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.

Weight

Fix Recommendation

This procedure will only capture the first packet. See the vendor documentation for further information.

Go to Objects >> Security Profiles >> Antivirus
Select the name of a configured Antivirus Profile or select "Add" to create a new one.
In the "Antivirus Profile" window, complete the required fields.
In the "Antivirus" tab, select the "Packet Capture" check box.
Select "OK".

Configure an Anti-Spyware Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Anti-Spyware
Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one.
In the "Anti-Spyware Profile" window, complete the required fields in all tabs.
In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one.
In the "Anti-Spyware Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Configure a Vulnerability Protection Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Vulnerability Protection
Select the name of a configured Vulnerability Protection Profile or select "Add" to create a new one.
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Rules" tab, select the name of a configured Vulnerability Protection Rule or select "Add" to create a new one.
In the "Vulnerability Protection Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy.
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions tab in the Profile Setting section:
In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Antivirus" field, select the configured Antivirus Profile.
In the "Anti-Spyware" field, select the configured Anti-Spyware Profile.
In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Check Contents

Go to Objects >> Security Profiles >> Antivirus
View the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding.

Go to Objects >> Security Profiles >> Anti-Spyware
View the configured Anti-Spyware Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Objects >> Security Profiles >> Vulnerability Protection
View the configured Vulnerability Protection Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Policies >> Security
Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.

The Palo Alto Networks security platform must capture traffic of detected/dropped malicious code.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments