The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-65123	SRG-APP-000296-NDM-000280	WSDP-NM-000082	SV-79613r2_rule	2017-10-05	1

Description
If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.

ℹ️ Check
Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

✔️ Fix
Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication. For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

✔️ Fix

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication. For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.