AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-266992 | SRG-NET-000019-VPN-000040 | ARBA-VN-000040 | SV-266992r1040904_rule | 2024-10-29 | 1 |
| Description |
|---|
| Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass being inspected by the firewall before being forwarded to the private network. |
| ℹ️ Check |
|---|
| Verify the AOS configuration with the following command: show running-config | begin "interface gigabit" Note the configured IP access-group session ACL for each active interface. For each configured ACL: show ip access-list <ACL name> If each ACL does not end in an "any any deny log" for both IPv4 and IPv6, this is a finding. |
| ✔️ Fix |
|---|
| Configure AOS with the following commands: configure terminal ip access-list session <name> network <A.B.C.D> <netmask A.B.C.D> any any permit any any any deny log ipv6 network <X:X:X:X::X/<0-128> any any permit ipv6 any any any deny log exit write memory interface gigabit <#/#/#> ip access-group session <ACL name> exit write mem |