The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239869	CASA-FW-000270	SV-239869r665893_rule		Medium

Description
Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection all enforces conformance against published RFCs. Some applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the firewall. Enabling application inspection for a service that embeds IP addresses, the firewall translates embedded addresses and updates any checksum or other fields that are affected by the translation. Enabling application inspection for a service that uses dynamically assigned ports, the firewall monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

Description

Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection all enforces conformance against published RFCs. Some applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the firewall. Enabling application inspection for a service that embeds IP addresses, the firewall translates embedded addresses and updates any checksum or other fields that are affected by the translation. Enabling application inspection for a service that uses dynamically assigned ports, the firewall monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

STIG	Date
Cisco ASA Firewall Security Technical Implementation Guide	2024-06-06

Details

Check Text ( C-43102r665891_chk )
Review the firewall configuration to verify that inspection for applications deployed within the network is being performed on all interfaces. The following command should be configured: service-policy global_policy global If the firewall is not configured to inspect all inbound and outbound traffic at the application layer, this is a finding.

Fix Text (F-43061r665892_fix)
Configure the firewall to inspect all inbound and outbound traffic at the application layer. ASA(config)# service-policy global_policy global ASA(config)# end