UCF STIG Viewer Logo

The Palo Alto Networks security platform must capture traffic of detected/blocked malicious code.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62651 PANW-IP-000008 SV-77141r1_rule Medium
Description
Associating event outcome with detected events in the log provides a means of investigating an attack or suspected attack. The logs should identify what servers, destination addresses, applications, or databases were potentially attacked by logging communications traffic between the target and the attacker. All commands that were entered by the attacker (such as account creations, changes in permissions, files accessed, etc.) during the session should also be logged. Packet captures of attack traffic can be used by forensic tools for analysis for example, to determine if an alert is real or a false alarm or for forensics for threat intelligence.
STIG Date
Palo Alto Networks IDPS Security Technical Implementation Guide 2019-10-02

Details

Check Text ( C-63455r1_chk )
Go to Objects >> Security Profiles >> Antivirus
View the configured Antivirus Profiles. If the Packet Capture check box is not checked, this is a finding.

Go to Objects >> Security Profiles >> Anti-Spyware
View the configured Anti-Spyware Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Objects >> Security Profiles >> Vulnerability Protection
View the configured Vulnerability Protection Profiles. If the "Packet Capture" field does not show extended-capture, this is a finding.

Go to Policies >> Security
Review each of the configured security policies in turn. For any Security Policy that affects traffic between Zones (interzone), view the "Profile" column. If the "Profile" column does not display the Antivirus Profile, Anti-Spyware, and Vulnerability Protection symbols, this is a finding.
Fix Text (F-68571r1_fix)
Go to Objects >> Security Profiles >> Antivirus
Select the name of a configured Antivirus Profile or select "Add" to create a new one.
In the "Antivirus Profile" window, complete the required fields.
In the "Antivirus" tab, select the "Packet Capture" check box.
Select "OK".

Configure an Anti-Spyware Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Anti-Spyware
Select the name of a configured Anti-Spyware Profile or select "Add" to create a new one.
In the "Anti-Spyware Profile" window, complete the required fields in all tabs.
In the "Rules" tab, select the name of a configured Anti-Spyware Rule or select "Add" to create a new one.
In the "Anti-Spyware Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Configure a Vulnerability Protection Profile to capture detected malicious traffic.
Go to Objects >> Security Profiles >> Vulnerability Protection
Select the name of a configured Vulnerability Protection Profile or select "Add" to create a new one.
In the "Vulnerability Protection Profile" window, complete the required fields.
In the "Rules" tab, select the name of a configured Vulnerability Protection Rule or select "Add" to create a new one.
In the "Vulnerability Protection Rule" window, in the "Packet Capture" field, select "extended-capture".
Select "OK".
Select "OK" again.

Use the Antivirus Profile, Anti-Spyware Profile, and Vulnerability Protection Profile in a Security Policy.
Go to Policies >> Security
Select an existing policy rule or select "Add" to create a new one.
In the "Actions tab in the Profile Setting section:
In the "Profile Type" field, select "Profiles". The window will change to display the different categories of Profiles.
In the "Antivirus" field, select the configured Antivirus Profile.
In the "Anti-Spyware" field, select the configured Anti-Spyware Profile.
In the "Vulnerability Protection" field, select the configured Vulnerability Protection Profile.
Select "OK".
Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.