Security zone on Palo Alto Networks devices does not have an associated Zone Protection Profile
Description
This policy detects whether all security zones in Palo Alto Networks devices have an associated Zone Protection Profile. Zone Protection Profiles provide a set of countermeasures against various flood, reconnaissance, and packet-based attacks, enforcing essential protections at the zone level, bolstering the overall security posture.
Code Example
yaml
- name: Verify tests
...
tasks:
- name: Zone
paloaltonetworks.panos.panos_zone:
...
zone_profile: 'strict' # Zone Protection Profile specified, which is a passRemediation
Palo Alto Networks
- Resource: panos_zone
- Attribute: zone_profile
To mitigate this risk, ensure that each panos_zone resource is configured with a non-empty zone_profile attribute. This configuration specifies that a Zone Protection Profile is actively associated with each security zone, providing critical security features.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1296 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Ansible |
| Checkov ID | CKV_PAN_14 |