STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.

DISA Rule

SV-228846r557387_rule

Vulnerability Number

V-228846

Group Title

SRG-NET-000213-ALG-000107

Rule Version

PANW-AG-000052

Severity

CAT II

CCI(s)

• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

To configure the global values:
Go to Device >> Setup >> Session
In the "Session Timeouts" pane, select the "Edit" icon (the gear symbol in the upper-right corner of the pane).
In the "TCP" field, enter "900".
Select "OK".

To configure application-specific values:
Go to Objects >> Applications
Select an application name to view additional details about the application.
To search for a specific application, enter the "application name" or "description" in the "Search" field.
In the "Application" window, in the "Options" pane, in the "TCP Timeout" field, select "Customize".
In the Application specific window, in the "TCP" and "UDP Timeout" fields, enter "900" if the existing value is greater than "900". Many applications will not have one of these two fields.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.

Check Contents

To check global values:
Go to Device >> Setup >> Session
In the "Session Timeouts" pane, if the TCP field has a value of greater than "900", this is a finding.

Obtain the list of authorized applications for the system or network.
To check application-specific values:
Go to Objects >> Applications
Select, in turn, each authorized application.
In the "Application" window, in the "Options" pane, view the "TCP" and "UDP Timeout" fields, if the value is greater than "900", this is a finding.

Many applications will not have one of these two fields.

Vulnerability Number

V-228846

Documentable

False

Rule Version

PANW-AG-000052

Severity Override Guidance

To check global values:
Go to Device >> Setup >> Session
In the "Session Timeouts" pane, if the TCP field has a value of greater than "900", this is a finding.

Obtain the list of authorized applications for the system or network.
To check application-specific values:
Go to Objects >> Applications
Select, in turn, each authorized application.
In the "Application" window, in the "Options" pane, view the "TCP" and "UDP Timeout" fields, if the value is greater than "900", this is a finding.

Many applications will not have one of these two fields.

Check Content Reference

M

Target Key

4233

Comments