The NSX-T Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251729	TDFW-3X-000021	SV-251729r810041_rule		Low

Description
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). Satisfies: SRG-NET-000202-FW-000039, SRG-NET-000236-FW-000027, SRG-NET-000235-FW-000133

Description

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). Satisfies: SRG-NET-000202-FW-000039, SRG-NET-000236-FW-000027, SRG-NET-000235-FW-000133

STIG	Date
VMware NSX-T Distributed Firewall Security Technical Implementation Guide	2022-09-01

Details

Check Text ( C-55166r810039_chk )
From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules >> APPLICATION >> Default Layer3 Section >> Default Layer3 Rule >> Action. If the Default Layer3 Rule is set to "ALLOW", this is a finding.

Fix Text (F-55120r810040_fix)
From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules >> APPLICATION >> Default Layer3 Section >> Default Layer3 Rule and change action to "Drop" or "Reject". After all changes are made, click "Publish". Note: Before enabling, ensure the necessary rules to whitelist approved traffic are created and published or this change may result in loss of communication for workloads.

Fix Text (F-55120r810040_fix)

From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules >> APPLICATION >> Default Layer3 Section >> Default Layer3 Rule and change action to "Drop" or "Reject".

After all changes are made, click "Publish".

Note: Before enabling, ensure the necessary rules to whitelist approved traffic are created and published or this change may result in loss of communication for workloads.