Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The NSX-T Tier-0 Gateway must be configured to have Internet Control Message Protocol (ICMP) redirects disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251755 | T0RT-3X-000066 | SV-251755r856696_rule | Medium |
| Description |
|---|
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis. |
| STIG | Date |
|---|---|
| VMware NSX-T Tier-0 Gateway RTR Security Technical Implementation Guide | 2022-09-01 |
Details
| Check Text ( C-55192r810147_chk ) |
|---|
| If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding. |
| Fix Text (F-55146r810148_fix) |
|---|
| To configure a shared rule to drop ICMP unreachable messages do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (Add a policy first if needed), under services select "ICMP Redirect", and then click "Apply". Enable logging, under the "Applied To" field select the target Tier-0 Gateways, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. |