STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-207698r557390_rule
V-207698
SRG-NET-000273-IDPS-00198
PANW-IP-000030
CAT II
10
Note: The interzone-default rule action is deny, so unless ICMP is specifically allowed by a policy, it will be denied. If there is an explicit security policy configured allowing ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
Create three custom Applications to identify ICMP Type 3, 5, and 18:
Go to Objects >> Applications
Select "Add".
In the Application window; complete the required fields In the Configuration tab, in the General section, complete the Name and Description Fields.
In the Configuration tab, in the Properties section, for Category, select networking, for Subcategory, select infrastructure, and for Technology, select network-protocol.
In the Advanced tab, in the Defaults section, select ICMP Type Enter "3" since ICMP Destination Unreachable is Type 3 Select OK Repeat this procedure two more times, using the values for ICMP Type are 5 and 18 since respectively since ICMP Redirect is Type 5 and ICMP Address Mask Reply is Type 18.
Use these three Application filters in a Security Policy.
To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields. Select "interzone" for the Rule Type.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "internal".
For the "Source Address" field, select "any".
In the "Destination" tab, for the "Destination Address" field, select "any".
Note: The "Destination Zone" window will be grayed out (unable to enter parameters).
In the "Applications" tab, select the three application filters configured above.
In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding.
If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding.
Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding.
This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.
V-207698
False
PANW-IP-000030
Ask the Administrator if any security policy allows ICMP from an internal zone or DMZ to an outside zone. If there is none, this is not a finding.
If there is a security policy that allows ICMP from an internal zone or DMZ to an outside zone, then a policy must be configured to deny outbound ICMP Destination Unreachable, Redirect, and Address Mask reply messages.
Go to Objects >> Applications; if there are not three custom Applications to identify ICMP Type 3, 5, and 18, this is a finding.
Go to Policies >> Security; if there is no Security Policy using these three custom Applications with the resulting action of "deny", this is a finding.
This Security Policy must appear above any Security Policy that allows ICMP from an internal zone or DMZ to an outside zone; if it does not, this is a finding.
M
2927