- DISA_STIG_Palo_Alto_Networks_ALG_STIG_v2r2.audit from DISA Palo Alto Networks ALG v2r2 STIG
- PANW-AG-000017 - The Palo Alto Networks security platform that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
- PANW-AG-000020 - The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
- PANW-AG-000024 - The Palo Alto Networks security platform must log violations of security policies.
- PANW-AG-000035 - The Palo Alto Networks security platform must only enable User-ID on trusted zones.
- PANW-AG-000036 - The Palo Alto Networks security platform must disable WMI probing if it is not used.
- PANW-AG-000037 - The Palo Alto Networks security platform must not enable the DNS proxy.
- PANW-AG-000038 - The Palo Alto Networks security platform must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
- PANW-AG-000044 - The Palo Alto Networks security platform that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.
- PANW-AG-000047 - The Palo Alto Networks security platform must protect against the use of internal systems from launching Denial of Service (DoS) attacks against other networks or endpoints.
- PANW-AG-000049 - The Palo Alto Networks security platform must block phone home traffic.
- PANW-AG-000050 - The Palo Alto Networks security platform must deny outbound IP packets that contain an illegitimate address in the source address field.
- PANW-AG-000051 - The Palo Alto Networks security platform must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
- PANW-AG-000052 - The Palo Alto Networks security platform must terminate communications sessions after 15 minutes of inactivity.
- PANW-AG-000060 - The Palo Alto Networks security platform must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.
- PANW-AG-000062 - The Palo Alto Networks security platform must drop malicious code upon detection - Antivirus Profiles.
- PANW-AG-000062 - The Palo Alto Networks security platform must drop malicious code upon detection - Antivirus Services.
- PANW-AG-000063 - The Palo Alto Networks security platform must delete or quarantine malicious code in response to malicious code detection - Antivirus Profiles
- PANW-AG-000063 - The Palo Alto Networks security platform must delete or quarantine malicious code in response to malicious code detection - Antivirus Services
- PANW-AG-000064 - The Palo Alto Networks security platform must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection - Email Log Forwarding
- PANW-AG-000064 - The Palo Alto Networks security platform must send an immediate (within seconds) alert to the system administrator, at a minimum, in response to malicious code detection - Email Servers
- PANW-AG-000065 - The Palo Alto Networks security platform must automatically update malicious code protection mechanisms - Download Action
- PANW-AG-000065 - The Palo Alto Networks security platform must automatically update malicious code protection mechanisms - Schedule
- PANW-AG-000073 - The Palo Alto Networks security platform must deny or restrict detected prohibited mobile code - Antivirus Actions
- PANW-AG-000073 - The Palo Alto Networks security platform must deny or restrict detected prohibited mobile code - Antivirus Policies
- PANW-AG-000074 - The Palo Alto Networks security platform must prevent the download of prohibited mobile code - Antivirus Profiles
- PANW-AG-000074 - The Palo Alto Networks security platform must prevent the download of prohibited mobile code - Antivirus Protocols
- PANW-AG-000078 - The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must control remote access methods (inspect and filter traffic).
- PANW-AG-000079 - The Palo Alto Networks security, if used as a TLS gateway/decryption point or VPN concentrator, must provide the capability to immediately disconnect or disable remote access to the information system.
- PANW-AG-000081 - To protect against data mining, the Palo Alto Networks security platform must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.
