UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper SRX Services Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).


Overview

Finding ID Version Rule ID IA Controls Severity
V-214535 JUSX-AG-000128 SV-214535r557389_rule Medium
Description
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. As a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed. By default, Junos denies all traffic through an SRX Series device using an implicit default security policy exists that denies all packets. Organizations must configure security policies that permits or redirects traffic in compliance with DoD policies and best practices. Sites must not change the factory-default security policies.
STIG Date
Juniper SRX Services Gateway ALG Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-15741r297289_chk )
Verify the default-policy has not been changed and is set to deny all traffic.

[edit]
show security policies default-policy

If the default-policy is not set to deny-all, this is a finding.
Fix Text (F-15739r297290_fix)
By default, the SRX device will not forward traffic unless it is explicitly permitted via security policy. If the default-policy has been changed, then this must be corrected using the set security policies default-policy command.