Plain-text management Telnet enabled for Interface Management Profile in Palo Alto Networks devices
Description
This policy detects whether plain-text management Telnet is enabled for Interface Management Profiles in Palo Alto Networks devices. Enabling Telnet for management interfaces, which involves unencrypted communication, can significantly increase the risk of eavesdropping and man-in-the-middle attacks.
Code Example
yaml
- name: Example
tasks:
- name: Example
paloaltonetworks.panos.panos_management_profile:
provider: '{{ provider }}'
name: 'Test profile'
- telnet: true # telnet defined as true, which is a fail
+ telnet: false # telnet defined as true, which is a failRemediation
Palo Alto Networks
- Resource: panos_management_profile
- Attribute: telnet
To mitigate this risk, ensure that the telnet attribute in your panos_management_profile resource is disabled (either set to 'false' or omitted entirely). It is recommended to disable Telnet by explicitly setting this attribute to 'false' or omitting it entirely, thereby encouraging the use of secure communication protocols.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1285 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_3 |