UCF STIG Viewer Logo

The NSX-T Tier-0 Gateway Firewall must not have any unpublished firewall policies or rules.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251736 T0FW-3X-000002 SV-251736r810075_rule High
Description
Unpublished firewall rules may be enabled inadvertently and cause unintended filtering or introduce unvetted/unauthorized traffic flows.
STIG Date
VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide 2022-09-01

Details

Check Text ( C-55173r810073_chk )
If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable.

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules.

For each Tier-0 Gateway, ensure there are no Unpublished changes.

If there is a message for Total Unpublished Changes and Publish is not greyed out, this is a finding.
Fix Text (F-55127r810074_fix)
From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules.

For each Tier-0 Gateway with Unpublished changes, review any unpublished changes and click either "Revert" or "Publish".