STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must deny outbound IP packets that contain an illegitimate address in the source address field.

DISA Rule

SV-228844r557387_rule

Vulnerability Number

V-228844

Group Title

SRG-NET-000192-ALG-000121

Rule Version

PANW-AG-000050

Severity

CAT II

CCI(s)

• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.

Weight

10

Fix Recommendation

Create an anti-spoofing policy for each outgoing zone that drops any traffic when the source IP does not match the list of allowed IP ranges for each outgoing zone.

Navigate to the “Zone Protection Profile” configuration screen.

Select the “Packet- Based Attack Protection” tab.

Select the “IP Drop” tab.

Check the “Spoofed IP Address” box.

Check Contents

Verify an anti-spoofing policy is configured for each outgoing zone that drops any traffic when the source IP does not match the list of allowed IP ranges for each outgoing zone.

Navigate to the “Zone Protection Profile” configuration screen

Select the “Packet-Based Attack Protection” tab

Select the “IP Drop” tab

If the “Spoofed IP Address” box is not checked for each outgoing zone, this is a finding.

Vulnerability Number

V-228844

Documentable

False

Rule Version

PANW-AG-000050

Severity Override Guidance

Verify an anti-spoofing policy is configured for each outgoing zone that drops any traffic when the source IP does not match the list of allowed IP ranges for each outgoing zone.

Navigate to the “Zone Protection Profile” configuration screen

Select the “Packet-Based Attack Protection” tab

Select the “IP Drop” tab

If the “Spoofed IP Address” box is not checked for each outgoing zone, this is a finding.

Check Content Reference

M

Target Key

4233

Comments