UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment.


Overview

Finding ID Version Rule ID IA Controls Severity
V-233332 FORE-NC-000270 SV-233332r611394_rule Medium
Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
STIG Date
Forescout Network Access Control Security Technical Implementation Guide 2020-12-11

Details

Check Text ( C-36527r605699_chk )
Verify Forescout is configured to a list of DoD-approved certificate types and CAs.

Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate.

For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding.
Fix Text (F-36492r605700_fix)
Log on to the Forescout UI.

1. Select Tools >> Options >> Certificates.
2. Check that in the Ongoing TLS Sessions section, view the Re-verify TLS Sessions.
3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply".
4. Next select the HPS Inspection Engine >> SecureConnector.
5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2.