The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-251768 | SRG-NET-000364-FW-000031 | T1FW-3X-000030 | SV-251768r856687_rule | 2023-06-22 | 1 |
| Description |
|---|
| Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Firewall filters control the flow of network traffic and ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated. |
| ℹ️ Check |
|---|
| From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. Choose each Tier-1 Gateway in the drop-down and review the firewall rules "Applied To" field to verify no rules are selectively applied to interfaces instead of the Gateway Firewall entity. If any Gateway Firewall rules are applied to individual interfaces, this is a finding. |
| ✔️ Fix |
|---|
| From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose the target Tier-1 Gateway from the drop-down. For any rules that have individual interfaces specified in the "Applied To" field, click "Edit" on the "Applied To" column and remove the interfaces selected, leaving only the Tier-1 Gateway object type checked. Click "Publish" to save any rule changes. |