UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper SRX Services Gateway Firewall must terminate all communications sessions associated with user traffic after 15 minutes or less of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-214528 JUSX-AG-000105 SV-214528r971530_rule Medium
Description
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. This control does not imply that the device terminates all sessions or network access; it only ends the inactive session. Since many of the inactivity timeouts pre-defined by Junos OS are set to 1800 seconds, an explicit custom setting of 900 must be set for each application used by the DoD implementation. Since a timeout cannot be set directly on the predefined applications, the timeout must be set on the any firewall rule that uses a pre-defined application (i.e., an application that begins with junos-), otherwise the default pre-defined timeout will be used.
STIG Date
Juniper SRX Services Gateway ALG Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-15734r297268_chk )
Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less.

First get a list of security policies, then enter the show details command for each policy-name found.

[edit]
show security policies
show security policy details

Example:
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0

Verify an activity timeout is configured for either "any" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-).

To verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found.

[edit]
Show applications
show applications application

If an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.
Fix Text (F-15732r297269_fix)
Add or update the session inactivity timeout for communications sessions to 900 seconds or less.

Examples:
[edit]
set applications application term 1 protocol udp inactivity-timeout 900
set applications application junos-http inactivity-timeout 900

Or

Create a service that matches any TCP/UDP:
[edit]
set applications application TCP-ALL source-port 1-65535 destination-port 1-65535 protocol tcp inactivity-timeout 900

Note: When pre-defined applications are used in firewall policies, the timeout value must be set in the policy stanza.