topic Re: CLI commands for Palo Alto configuration in General Topics

CLI commands for Palo Alto configuration

Arti_K — Thu, 01 Feb 2018 11:25:24 GMT

Hi,

Are there any CLI commands which we can use to assess all the checks listed in the CIS Palo Alto Firewall 7 Benchmark?

For Example:

Check : Ensure 'Minimum Password Complexity' is enabled

Navigate to Device > Setup > Management > Minimum Password Complexity.

Verify Enabled is checked.

Is there any CLI command on Palo Alto Firewall device for getting configuration such kind of configuration?

Re: CLI commands for Palo Alto configuration

rmfalconer — Thu, 01 Feb 2018 16:08:02 GMT

As long as you know the syntax of the command you are searching for, you can find it pretty easily.

I prefer to use the set-based output on the CLI:

fw> set cli config-output-format set

Then just do a match on the string you're trying to find:

fw# show | match complexity
set mgt-config password-complexity enabled yes
set mgt-config password-complexity minimum-length 8
set mgt-config password-complexity minimum-lowercase-letters 1
set mgt-config password-complexity minimum-numeric-letters 1
set mgt-config password-complexity minimum-special-characters 1
set mgt-config password-complexity minimum-uppercase-letters 1
set mgt-config password-complexity block-repeated-characters 3
set mgt-config password-complexity block-username-inclusion yes

Re: CLI commands for Palo Alto configuration

BrianRa — Thu, 01 Feb 2018 16:23:09 GMT

If you are using Panorama to push configs you would need to log into that instead and run.

Panorama> set cli config-output-format set
Panorama> configure
Panorama# show device-group MY_FIREWALL | match complexity

This is the same result but if you push from Panorama the local firewall does not show those configs. You would have to view them in the view not config mode and there is no output format option so it is all xml.

Brian

Re: CLI commands for Palo Alto configuration

Arti_K — Mon, 05 Feb 2018 08:37:07 GMT

Thanks for the quick response. That's helpful.

We need to do configuration assessment for palo alto firewall device as per the CIS benchmark

recommendations.

Can anyone let me know if there are any CLI commands to set and get the following configurations:

Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured

Ensure 'V3' is selected for SNMP polling

Ensure 'Verify Update Server Identity' is enabled

Ensure that User-ID is only enabled for internal trusted interfaces

Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring

Ensure 'Passive Link State' and 'Preemptive' are configured appropriately

Ensure 'Antivirus Update Schedule' is set to download and install updates hourly

Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily

Ensure that WildFire file size upload limits are maximized

Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles

Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows

Ensure forwarding of decrypted content to WildFire is enabled

Ensure all WildFire session information settings are enabled

Ensure alerts are enabled for malicious files detected by WildFire

Ensure 'WildFire Update Schedule' is set to download and install updates every 15 minutes

Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'

Ensure a secure antivirus profile is applied to all relevant security policies

Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats

Ensure DNS sinkholing is configured on all anti-spyware profiles in use

Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use

Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet

Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities

Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic

Ensure that PAN-DB URL Filtering is used

Ensure that URL Filtering uses the action of “block” or “override” on the <enterprise approved value> URL categories

Ensure that access to every URL is logged

Ensure all HTTP Header Logging options are enabled

Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet

Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled

Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet

Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones

Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions

Ensure all zones have Zone Protection Profiles that drop specially crafted packets

Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone

Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist

Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured

Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS

Re: CLI commands for Palo Alto configuration

rmfalconer — Mon, 05 Feb 2018 16:54:02 GMT

You should be able to get everything you need from CLI commands using ' | match'. You'll probably just have to figure out the exact syntax for each item you want, like 'show | match snmp' or 'show | match download'.

Re: CLI commands for Palo Alto configuration

BPry — Mon, 05 Feb 2018 22:04:06 GMT

@Arti_K,

SOme of these that you have listed won't be answered by using the 'match' command without quite a bit of CLI knowledge to ensure nothing get's overlooked. I highly recommend that you actually review the configuration to ensure each recommendation is acutally being followed by physically looking over the configuration.