UCF STIG Viewer Logo

The NSX-T Tier-0 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure communications with the central audit server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251738 T0FW-3X-000011 SV-251738r856689_rule Medium
Description
It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Collected log data be secured and access restricted to authorized personnel. Methods of protection may include encryption or logical separation. In accordance with DoD policy, the traffic log must be sent to a central audit server. Ensure at least primary and secondary syslog servers are configured on the firewall. If the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server. This does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs. Satisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021, SRG-NET-000333-FW-000014
STIG Date
VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide 2022-09-01

Details

Check Text ( C-55175r810079_chk )
From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s):

> get logging-servers

If any configured logging-servers are not configured with protocol of "li-tls" or "tls", this is a finding.

If primary and secondary logging-servers are not configured to use "li-tls" or "tls", this is a finding.

Note: This check must be run from each NSX-T Edge Node hosting the Tier-0 Gateway, as they are configured individually.
Fix Text (F-55129r810080_fix)
(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers:

> clear logging-servers

From an NSX-T Edge Node shell, run the following command(s) to configure a primary and backup tls syslog server:

> set logging-server proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem

From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server:

> set logging-server proto li-tls level info serverca root-ca.crt

Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.

Note: Configure the syslog or SNMP server to send an alert if the events server is unable to receive events from the NSX-T and also if DoS incidents are detected. This is true if the events server is STIG compliant.