STIGQter: STIG Summary: Palo Alto Networks IDPS Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must block malicious ICMP packets.

DISA Rule

SV-207699r557390_rule

Vulnerability Number

V-207699

Group Title

SRG-NET-000273-IDPS-00204

Rule Version

PANW-IP-000031

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

To configure the security policy:
Go to Policies >> Security
Select "Add".
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
For the "Source Zone" field, select "external".
For the "Source Address" field, select "any".
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields.
For the "Destination Zone" field, select the internal and DMZ zones.
Note: the exact number and name of zones is specific to the network.

For the "Destination Address" field, select "any".
In the "Applications" tab, select "icmp", "ipv6-icmp", "traceroute".
In the "Actions" tab, select "Deny" as the resulting action. Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.

Check Contents

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.
Go to Policies >> Security
View the identified Security Policy.

If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding.
Note: the exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Vulnerability Number

V-207699

Documentable

False

Rule Version

PANW-IP-000031

Severity Override Guidance

Ask the Administrator which Security Policy blocks traceroutes and ICMP probes.
Go to Policies >> Security
View the identified Security Policy.

If the "Source Zone" field is not external and the "Source Address" field is not any, this is a finding.

If the "Destination Zone" fields do not include the internal and DMZ zones and the "Destination Address" field is not "any", this is a finding.
Note: the exact number and name of zones is specific to the network.

If the "Application" fields do not include "icmp", "ipv6-icmp", and "traceroute", this is a finding.

If the "Actions" field does not show "Deny" as the resulting action, this is a finding.

Check Content Reference

M

Target Key

2927

Comments