The NSX-T Tier-0 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251742	T0FW-3X-000030	SV-251742r856691_rule		Medium

Description
Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Firewall filters control the flow of network traffic, ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.

Description

Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Firewall filters control the flow of network traffic, ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.

STIG	Date
VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide	2022-09-01

Details

Check Text ( C-55179r810091_chk )
If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each T0-Gateway in the drop-down and review the firewall rules "Applied To" field to verify no rules are selectively applied to interfaces instead of the Gateway Firewall entity. If any Gateway Firewall rules are applied to individual interfaces, this is a finding.

Check Text ( C-55179r810091_chk )

If the Tier-0 Gateway is deployed in an Active/Active HA mode and no stateless rules exist, this is Not Applicable.

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each T0-Gateway in the drop-down and review the firewall rules "Applied To" field to verify no rules are selectively applied to interfaces instead of the Gateway Firewall entity.

If any Gateway Firewall rules are applied to individual interfaces, this is a finding.

Fix Text (F-55133r810092_fix)
From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose the target Tier-0 Gateway from the drop-down. For any rules that have individual interfaces specified in the "Applied To" field, click "Edit" in the "Applied To" column and remove the interfaces selected, leaving only the Tier-0 Gateway object type checked. Click "Publish" to save any rule changes.

Fix Text (F-55133r810092_fix)

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose the target Tier-0 Gateway from the drop-down.

For any rules that have individual interfaces specified in the "Applied To" field, click "Edit" in the "Applied To" column and remove the interfaces selected, leaving only the Tier-0 Gateway object type checked.

Click "Publish" to save any rule changes.