UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).


Overview

Finding ID Version Rule ID IA Controls Severity
V-251740 T0FW-3X-000021 SV-251740r810087_rule Medium
Description
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. This configuration, which is in the Manager function of the NSX-T implementation, helps prevent the firewall instance from failing to a state that may cause unauthorized access to make changes to the firewall filtering functions. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The configured filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). Satisfies: SRG-NET-000202-FW-000039, SRG-NET-000235-FW-000133, SRG-NET-000236-FW-000027, SRG-NET-000205-FW-000040
STIG Date
VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide 2023-06-22

Details

Check Text ( C-55177r810085_chk )
From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-1 Gateway in drop-down, then select Policy_Default_Infra Section >> Action.

If the default_rule is set to "Allow", this is a finding.
Fix Text (F-55131r810086_fix)
From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-1 Gateway in drop-down, then select Policy_Default_Infra Section >> Action. Change the Action to "Drop" or "Reject", and then click "Publish".