The NSX Tier-1 Gateway firewall must deny network communications traffic by default and allow network communications traffic by exception.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-265494	NT1F-4X-000016	SV-265494r994851_rule		Medium

Description

To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). Satisfies: SRG-NET-000202-FW-000039, SRG-NET-000205-FW-000040, SRG-NET-000235-FW-000133, SRG-NET-000364-FW-000031, SRG-NET-000364-FW-000032

STIG	Date
VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide	2024-12-20

Details

Check Text (C-69411r994849_chk)

From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules >> Choose each Tier-1 Gateway in drop-down >> Policy_Default_Infra Section >> Action.

If the default_rule is set to Allow, this is a finding.

Fix Text (F-69319r994850_fix)

From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules >> Choose each Tier-1 Gateway in drop-down >> Policy_Default_Infra Section >> Action >> change the Action to Drop or Reject and click "Publish".