The Palo Alto Networks security platform must enforce the limit of three consecutive invalid logon attempts.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-228639	PANW-NM-000015	SV-228639r1082941_rule		Medium

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

STIG	Date
Palo Alto Networks NDM Security Technical Implementation Guide	2025-03-12

Details

Check Text (C-30874r1082939_chk)

Go to Device >> Authentication Profile.
Check the authentication profile used for the local account used for the account of last resort.

If the "Failed Attempts (#)" field is not set to "3", this is a finding.

Fix Text (F-30851r1082940_fix)

Configure the authentication profile associated with the account of last resort with lockout settings of three failed attempts, which is the only local login account.

1. Go to Device >> Authentication Profile.
2. Select the configured authentication profile or select "Add" (in the bottom-left corner of the pane) to create a new one.
3. In the "Authentication Profile" field, enter the name of the authentication profile that will be used to control each person's authentication process.
4. The "Lockout Time (min)" field is the lockout duration; this must be set to "15".
5. In the "Failed Attempts" field, enter "3".
6. Select "OK".

STIG VIEWER