ID

Name

Description

FW205

Check that no rules are configured with both: 'Service & Applications' set to 'Any' and 'Action' set to 'Accept'

The Service setting of Any should not be used for any policies that allow traffic. Create security policies specifying the desired ports. We highly recommended that you do not select 'Any' in the 'Service & Applications' column. In particular, do not allow any service when the Action is selected as 'Accept'.

OS130

Check that the password contains at least 12 characters

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that your password contains at least 12 characters.

OS131

Check that the password complexity requires four character types

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that your password contains upper case letters, lower case letters, numbers and special characters.

OS132

Check that the password expiration value is set to a maximum of 365 days

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. We recommend that you set the password expiration value to a maximum of 365 days, depending on your environment. This way, an attacker has a limited amount of time to compromise a user's password and have access to your network resources.

OS133

Check that the password history is enabled

The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced.

OS134

Check that the password history prohibits password reuse for a minimum of 3 generations

The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute-force attacks. If users are required to change their password, but can still reuse an old one, the effectiveness of the policy is greatly reduced. We recommend prohibiting password reuse for a minimum of 3 generations.

OS135

Check that the hashing algorithm for password storage is enabled

For security reasons, you may want to store passwords in hashed form. These guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system. We recommend that you use the most recent hashing algorithm.

OS150

Check that there are defined TACACS+ Server IP address and key for authentication

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. We recommend that you define the TACACS+ Server IP address and key for authentication.

OS155

Check that only permitted IP addresses are allowed to access and manage the firewall via SSH and HTTPS

By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. Allow only permitted IP address to access and manage the firewall via SSH and HTTPS.

OS160

Check that SNMP agent usage is enabled

SNMP monitoring is useful for anyone who is responsible for servers and network devices such as hosts, routers, hubs and switches. It lets you keep an eye on network and bandwidth usage, and track important issues such as uptime and traffic levels. We recommend that you use SNMP Polling.

OS161

Check that the SNMP agent version is set to v3

SNMP v3 has added cryptographic security and new concepts, terminology, remote configuration enhancements, and textual conventions. We therefore recommend you use SNMP v3 Polling.

OS162

Check that the SNMP traps are configured to generate SNMP traps for system, traffic, or threat logs

You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs.

OS163

Check that the SNMP 'clusterXLFailover' trap is defined

You can use logging and SNMP to monitor cluster units for failover. Both the primary and subordinate units can be configured to write log messages and send SNMP traps if a failover occurs. We recommend that you apply the 'clusterXLFailover' trap.

OS164

Check that the SNMP 'fanFailure' trap is defined

You can use logging and SNMP to monitor the fan status. If there are issues with the fan, you will be able to address them immediately.

OS165

Check that the SNMP 'lowDiskSpace' trap is defined

You can use logging and SNMP to monitor the disk space status. If you have low disk space, you will be able to address it immediately.

OS170

Check that Advanced Routing for OSFP is configured

OSPF (Open Shortest Path First) is a popular link-state routing protocol. Network devices will exchange pieces of information in order to build a complete topology database.

Description

Fix for TM-504 Compliance blade results altered by cloud gateway.

Compliance showing poor despite it being right.

Deactivated compliance checks are still showing up in report.

Compliance blade Publish changes takes a long time.