UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The NSX-T Distributed Firewall must verify time-based firewall rules.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251733 TDFW-3X-000042 SV-251733r810053_rule Medium
Description
With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period. Time windows apply to a firewall policy section, and all the rules in it. Each firewall policy section can have one time window. The same time window can be applied to more than one policy section. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section. Time-based rules are available for distributed and gateway firewalls on both ESXi and KVM hosts. If time windows are not verified and periodically checked, a malicious actor could create time windows to effectively disable rules while not being obvious to firewall administrators.
STIG Date
VMware NSX-T Distributed Firewall Security Technical Implementation Guide 2023-06-23

Details

Check Text ( C-55170r810051_chk )
From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules.

For each category, verify each Policy has no time windows configured or any existing time windows are expected. This can be viewed by clicking on the clock icon in each Policy section.

If there are unexpected or misconfigured time windows, this is a finding.
Fix Text (F-55124r810052_fix)
From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules.

Navigate to the offending Category and Policy section, click on the clock icon, then delete or modify the time window for that Policy. Click "Apply".

After all changes are made click "Publish".