The NSX-T Distributed Firewall must verify time-based firewall rules.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251733 | TDFW-3X-000042 | SV-251733r810053_rule | Medium |
| Description |
|---|
| With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period. Time windows apply to a firewall policy section, and all the rules in it. Each firewall policy section can have one time window. The same time window can be applied to more than one policy section. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section. Time-based rules are available for distributed and gateway firewalls on both ESXi and KVM hosts. If time windows are not verified and periodically checked, a malicious actor could create time windows to effectively disable rules while not being obvious to firewall administrators. |
| STIG | Date |
|---|---|
| VMware NSX-T Distributed Firewall Security Technical Implementation Guide | 2022-09-01 |
Details
| Check Text ( C-55170r810051_chk ) |
|---|
| From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules. For each category, verify each Policy has no time windows configured or any existing time windows are expected. This can be viewed by clicking on the clock icon in each Policy section. If there are unexpected or misconfigured time windows, this is a finding. |
| Fix Text (F-55124r810052_fix) |
|---|
| From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules. Navigate to the offending Category and Policy section, click on the clock icon, then delete or modify the time window for that Policy. Click "Apply". After all changes are made click "Publish". |