Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251763	T1FW-3X-000011	SV-251763r810184_rule		Medium

Description
It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure, secure collected log data, and restrict access to authorized personnel. Methods of protection may include encryption or logical separation. In accordance with DoD policy, the traffic log must be sent to a central audit server. This does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs. Satisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021

Description

It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure, secure collected log data, and restrict access to authorized personnel. Methods of protection may include encryption or logical separation. In accordance with DoD policy, the traffic log must be sent to a central audit server. This does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs. Satisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021

STIG	Date
VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide	2022-09-01

Details

Check Text ( C-55200r810182_chk )
From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s): > get logging-servers If any configured logging-servers are not configured with protocol of "li-tls" or "tls", this is a finding. If logging-servers are not configured to use "li-tls" or "tls", this is a finding. Note: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually.

Check Text ( C-55200r810182_chk )

From an NSX-T Edge Node shell hosting the Tier-1 Gateway, run the following command(s):

> get logging-servers

If any configured logging-servers are not configured with protocol of "li-tls" or "tls", this is a finding.

If logging-servers are not configured to use "li-tls" or "tls", this is a finding.

Note: This check must be run from each NSX-T Edge Node hosting the Tier-1 Gateway, as they are configured individually.

Fix Text (F-55154r810183_fix)
(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers: > clear logging-servers From an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server: > set logging-server proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server: > set logging-server proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.

Fix Text (F-55154r810183_fix)

(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers:

> clear logging-servers

From an NSX-T Edge Node shell, run the following command(s) to configure a tls syslog server:

> set logging-server proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem

From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server:

> set logging-server proto li-tls level info serverca root-ca.crt

Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.