02-01-2018 03:25 AM
Hi,
Are there any CLI commands which we can use to assess all the checks listed in the CIS Palo Alto Firewall 7 Benchmark?
For Example:
Check : Ensure 'Minimum Password Complexity' is enabled
Navigate to Device > Setup > Management > Minimum Password Complexity.
Verify Enabled is checked.
Is there any CLI command on Palo Alto Firewall device for getting configuration such kind of configuration?
02-01-2018 08:08 AM
As long as you know the syntax of the command you are searching for, you can find it pretty easily.
I prefer to use the set-based output on the CLI:
fw> set cli config-output-format set
Then just do a match on the string you're trying to find:
fw# show | match complexity
set mgt-config password-complexity enabled yes
set mgt-config password-complexity minimum-length 8
set mgt-config password-complexity minimum-lowercase-letters 1
set mgt-config password-complexity minimum-numeric-letters 1
set mgt-config password-complexity minimum-special-characters 1
set mgt-config password-complexity minimum-uppercase-letters 1
set mgt-config password-complexity block-repeated-characters 3
set mgt-config password-complexity block-username-inclusion yes
02-01-2018 08:23 AM
If you are using Panorama to push configs you would need to log into that instead and run.
Panorama> set cli config-output-format set
Panorama> configure
Panorama# show device-group MY_FIREWALL | match complexity
This is the same result but if you push from Panorama the local firewall does not show those configs. You would have to view them in the view not config mode and there is no output format option so it is all xml.
Brian
02-05-2018 12:37 AM
Thanks for the quick response. That's helpful.
We need to do configuration assessment for palo alto firewall device as per the CIS benchmark
recommendations.
Can anyone let me know if there are any CLI commands to set and get the following configurations:
| Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured |
| Ensure 'V3' is selected for SNMP polling |
| Ensure 'Verify Update Server Identity' is enabled |
Ensure that User-ID is only enabled for internal trusted interfaces |
| Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring |
| Ensure 'Passive Link State' and 'Preemptive' are configured appropriately |
| Ensure 'Antivirus Update Schedule' is set to download and install updates hourly |
| Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily |
| Ensure that WildFire file size upload limits are maximized |
| Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles |
| Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows |
| Ensure forwarding of decrypted content to WildFire is enabled |
| Ensure all WildFire session information settings are enabled |
| Ensure alerts are enabled for malicious files detected by WildFire |
| Ensure 'WildFire Update Schedule' is set to download and install updates every 15 minutes |
| Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3' |
| Ensure a secure antivirus profile is applied to all relevant security policies |
| Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats |
| Ensure DNS sinkholing is configured on all anti-spyware profiles in use |
| Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use |
| Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet |
| Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low, and informational vulnerabilities |
| Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic |
| Ensure that PAN-DB URL Filtering is used |
| Ensure that URL Filtering uses the action of “block” or “override” on the <enterprise approved value> URL categories |
| Ensure that access to every URL is logged |
| Ensure all HTTP Header Logging options are enabled |
| Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet |
| Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled |
| Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet |
| Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones |
| Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions |
| Ensure all zones have Zone Protection Profiles that drop specially crafted packets |
| Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone |
| Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist |
| Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured |
| Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS |
02-05-2018 08:54 AM
You should be able to get everything you need from CLI commands using ' | match'. You'll probably just have to figure out the exact syntax for each item you want, like 'show | match snmp' or 'show | match download'.
02-05-2018 02:04 PM
SOme of these that you have listed won't be answered by using the 'match' command without quite a bit of CLI knowledge to ensure nothing get's overlooked. I highly recommend that you actually review the configuration to ensure each recommendation is acutally being followed by physically looking over the configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
