This is not the current revision of this Checklist, view the current revision.
| Target | CPE Name |
|---|---|
| Palo Alto Networks Intrusion Detection and Prevention System | cpe:/o:paloaltonetworks:pan-os (View CVEs) |
The Palo Alto Networks Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to the Palo Alto Networks platform (physical and virtual machine). This document is meant for use in conjunction with the Palo Alto Networks Network Device Management STIG and is required to be used for each deployment of the Palo Alto Networks security appliance. The Palo Alto Networks security platform is a “third-generation” or “next-generation” firewall. These devices are capable of inspecting the entire packet, including the payload, and making a forwarding decision based on configured policies. Although they may have proxy capabilities, unlike a proxy, connections do not terminate on the device. Instead, the Palo Alto Networks security platform is a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks. The use of the Palo Alto Networks security platform as either an Application Layer Gateway (ALG) or Intrusion Detection and Prevention System (IDPS) requires that specific capabilities be licensed. The Threat Prevention License provides antivirus, anti-spyware, and vulnerability protection. The Content-ID capability provides data filtering by type and by content inspection. This capability can be defined as both an IDPS and an ALG function. The Application-ID capability characterizes traffic to identify what applications are actually used in a data stream and is considered an ALG function. The implementation of the Palo Alto Networks STIGs occurs in two parts. The Palo Alto Networks Network Device Management STIG is used for the configuration of the Palo Alto Networks device management functions, while either the Palo Alto Networks Application Layer Gateway STIG or the Palo Alto Networks Intrusion Detection and Prevention System STIG is used for the configuration of the device, depending on which role it will fulfill, as an enclave firewall/application layer gateway or as an intrusion detection and prevention system.The Palo Alto Networks Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to the Palo Alto Networks platform (physical and virtual machine). This document is meant for use in conjunction with the Palo Alto Networks Network Device Management STIG and is required to be used for each deployment of the Palo Alto Networks security appliance. The Palo Alto Networks security platform is a “third-generation” or “next-generation” firewall. These devices are capable of inspecting the entire packet, including the payload, and making a forwarding decision based on configured policies. Although they may have proxy capabilities, unlike a proxy, connections do not terminate on the device. Instead, the Palo Alto Networks security platform is a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks. The use of the Palo Alto Networks security platform as either an Application Layer Gateway (ALG) or Intrusion Detection and Prevention System (IDPS) requires that specific capabilities be licensed. The Threat Prevention License provides antivirus, anti-spyware, and vulnerability protection. The Content-ID capability provides data filtering by type and by content inspection. This capability can be defined as both an IDPS and an ALG function. The Application-ID capability characterizes traffic to identify what applications are actually used in a data stream and is considered an ALG function. The implementation of the Palo Alto Networks STIGs occurs in two parts. The Palo Alto Networks Network Device Management STIG is used for the configuration of the Palo Alto Networks device management functions, while either the Palo Alto Networks Application Layer Gateway STIG or the Palo Alto Networks Intrusion Detection and Prevention System STIG is used for the configuration of the device, depending on which role it will fulfill, as an enclave firewall/application layer gateway or as an intrusion detection and prevention system.
Not provided.
Parties within the DoD and Federal Government's computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) website. This site contains the latest copies of any STIGs, SRGs, and other related security information. The address for the IASE site is http://iase.disa.mil/.
Not provided.
DoDI 8500.01
Not provided.
Not provided.
All technical NIST SP 800-53 requirements were considered while developing this STIG. Requirements that are applicable and configurable will be included in the final STIG. A report marked For Official Use Only (FOUO) will be available for items that did not meet requirements. This report will be available to component Authorizing Official (AO) personnel for risk assessment purposes by request via email to: disa.stig_spt@mail.mil.
disa.stig_spt@mail.mil
Not provided.
Not provided.
null null corrected title for a reference link - 5/24/18
| URL | Description |
|---|
| Reference URL | Description |
|---|---|
| https://iasecontent.disa.mil/stigs/zip/U_Palo%20Alto_Networks_V1R1_Overview.zip | Palo Alto Networks STIG Overview, Version 1 |