The Palo Alto Networks security platform must enforce the limit of three consecutive invalid logon attempts.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-228639	SRG-APP-000065-NDM-000214	PANW-NM-000015	SV-228639r1082941_rule	2025-03-12	3

Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.

ℹ️ Check
Go to Device >> Authentication Profile. Check the authentication profile used for the local account used for the account of last resort. If the "Failed Attempts (#)" field is not set to "3", this is a finding.

✔️ Fix
Configure the authentication profile associated with the account of last resort with lockout settings of three failed attempts, which is the only local login account. 1. Go to Device >> Authentication Profile. 2. Select the configured authentication profile or select "Add" (in the bottom-left corner of the pane) to create a new one. 3. In the "Authentication Profile" field, enter the name of the authentication profile that will be used to control each person's authentication process. 4. The "Lockout Time (min)" field is the lockout duration; this must be set to "15". 5. In the "Failed Attempts" field, enter "3". 6. Select "OK".

✔️ Fix

Configure the authentication profile associated with the account of last resort with lockout settings of three failed attempts, which is the only local login account. 1. Go to Device >> Authentication Profile. 2. Select the configured authentication profile or select "Add" (in the bottom-left corner of the pane) to create a new one. 3. In the "Authentication Profile" field, enter the name of the authentication profile that will be used to control each person's authentication process. 4. The "Lockout Time (min)" field is the lockout duration; this must be set to "15". 5. In the "Failed Attempts" field, enter "3". 6. Select "OK".