STIGQter STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must send an immediate (within seconds) alert to, at a minimum, the SA when malicious code is detected.

DISA Rule

SV-207696r557390_rule

Vulnerability Number

V-207696

Group Title

SRG-NET-000249-IDPS-00222

Rule Version

PANW-IP-000028

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The following is an example of how to configure the device to send messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to configure that function.

To create an email server profile:
Go to Device >> Server Profiles >> Email
Select "Add".
In the "Email Server Profile" field, enter the name of the profile.
Select "Add".
In the "Servers" tab, enter the required information.
In the "Name" field, enter the name of the Email server.
In the "Email Display" Name field, enter the name shown in the "From" field of the email.
In the "From" field, enter the "From email address".
In the "To" field, enter the email address of the recipient.
In the "Additional Recipient" field, enter the email address of another recipient. You can only add one additional recipient. To add multiple recipients, add the email address of a distribution list.
In the "Gateway" field, enter the IP address or host name of the Simple Mail Transport Protocol (SMTP) server used to send the email.
Select "OK".

After you create the Server Profiles that define where to send your logs, you must enable log forwarding.
Threat Logs—Enable forwarding of Threat logs by creating a Log Forwarding Profile (Objects >> Log Forwarding) that specifies which severity levels you want to forward and then adding it to the security policies for which you want to trigger the log forwarding. A Threat log entry will only be created (and therefore forwarded) if the associated traffic matches a Security Profile (Antivirus, Anti-spyware, Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection).

Configure the log-forwarding profile to select the logs to be forwarded to Email server.
Go to Objects >> Log forwarding
The "Log Forwarding Profile" window appears. Note that it has five columns.
In the "Name" Field, enter the name of the Log Forwarding Profile.
In the "Threat Settings Section" in the "Email" column, select the Email server profile for forwarding threat logs to the configured server(s).
Select "OK".

When the "Log Forwarding Profile" window disappears, the screen will show the configured log-forwarding profile.
For Threat Logs, use the log forwarding profile in the security rules.
Go to Policies >> Security Rule
Select the rule for which the log forwarding needs to be applied, which in this case is the Security Policy that is used to detect malicious code (the "Profile column" does display the Antivirus Profile symbol). Apply the log forwarding profile to the rule.
In the "Actions" tab in the "Log Setting" section; in the "Log Forwarding" field, select the log forwarding profile from drop-down list. Note that the "Log Forwarding" field can only have one profile.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Check Contents

The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function.
Go to Device >> Server Profiles >> Email
If there is no Email Server Profile configured, this is a finding.

Go to Objects >> Log forwarding
If there is no Email Forwarding Profile configured, this is a finding.

Go to Policies >> Security
View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.

Vulnerability Number

V-207696

Documentable

False

Rule Version

PANW-IP-000028

Severity Override Guidance

The following is an example of how to check if the device is sending messages to e-mail; this is one option that meets the requirement. If sending messages to an SNMP server or Syslog servers is used, follow the vendor guidance on how to verify that function.
Go to Device >> Server Profiles >> Email
If there is no Email Server Profile configured, this is a finding.

Go to Objects >> Log forwarding
If there is no Email Forwarding Profile configured, this is a finding.

Go to Policies >> Security
View the Security Policy that is used to detect malicious code (the "Profile" column does display the Antivirus Profile symbol); in the "Options" column, if the Email Forwarding Profile is not used, this is a finding.

Check Content Reference

M

Target Key

2927

Comments