STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-228863r557387_rule
V-228863
SRG-NET-000370-ALG-000125
PANW-AG-000109
CAT II
10
User-ID can integrate with the enclave's systems using different methods; therefore, the exact configuration is dependent on the method chosen.
Determine which method User-ID will use to integrate with the enclave's systems - Server Monitoring, Client Probing, Syslog User-ID Agent, Terminal Services Agent, or Captive Portal.
Configure how groups and users are retrieved from the directory and which users groups are to be included in policies.
Configure the Security Policies that controls traffic from client hosts in the trust zone to the untrust zone.
Go to Policies >> Security
Select "Add" to create a new policy or select the Name of the Policy to edit it.
In the "Security Policy Rule" window, complete the required fields.
In the "General" tab, complete the "Name" and "Description" fields.
In the "Source" tab, complete the "Source Zone" and "Source Address" fields.
In the "User" tab, select "any".
In the "Destination" tab, complete the "Destination Zone" and "Destination Address" fields.
In the "Applications" tab, select the authorized applications.
In the "Service/URL Category" tab, select "application-default".
To add a service, select the "Service" check box, select "Add" and select a listed service or add a new service or service group.
In the "Actions" tab, select either "Deny" or "Allow (as required)" as the resulting action.
Select the required Log Setting and Profile Settings as necessary.
Commit changes by selecting "Commit" in the upper-right corner of the screen.
Select "OK" when the confirmation dialog appears.
Log into device Command Line Interface.
Enter the command "show user ip-user-mapping all".
If the output is blank, this is a finding.
An alternate means to verify that User-ID is properly configured, view the URL Filtering and Traffic logs is to view the logs.
To view the URL Filtering logs:
Go to Monitor >> Logs >> URL Filtering
To view the Traffic logs:
Go to Monitor >> Logs >> Traffic
User traffic originating from a trusted zone contains a username in the "Source User" column.
If the "Source User" column is blank, this is a finding.
Alternatively, verify that usernames are displayed in reports.
Go to Monitor >> Reports
Select the "Denied Applications Report".
If the "Source User" fields are empty, this is a finding.
V-228863
False
PANW-AG-000109
Log into device Command Line Interface.
Enter the command "show user ip-user-mapping all".
If the output is blank, this is a finding.
An alternate means to verify that User-ID is properly configured, view the URL Filtering and Traffic logs is to view the logs.
To view the URL Filtering logs:
Go to Monitor >> Logs >> URL Filtering
To view the Traffic logs:
Go to Monitor >> Logs >> Traffic
User traffic originating from a trusted zone contains a username in the "Source User" column.
If the "Source User" column is blank, this is a finding.
Alternatively, verify that usernames are displayed in reports.
Go to Monitor >> Reports
Select the "Denied Applications Report".
If the "Source User" fields are empty, this is a finding.
M
4233