The Palo Alto Networks security platform must employ centrally managed authentication server(s).
An XCCDF Rule
Description
<VulnDiscussion>The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Only the emergency administration account, also known as the account of last resort, can be locally configured on the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-228673r856020_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
The device allows three different authentication protocols; RADIUS, LDAP, and Kerberos. In this explanation, LDAP is used.
To configure the Palo Alto Networks security platform to use an LDAP server, follow these steps:
Go to Device >> Server-Profiles >> LDAP
Select "Add" (lower left of window).
Populate the required fields.
Enter the name of the profile in the "Name" field.