The NSX Manager must be configured to protect against denial-of-service (DoS) attacks by limit the number of concurrent sessions to an organization-defined number.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-265346SRG-APP-000435-NDM-000315NMGR-4X-000079SV-265346r994261_rule2024-12-131
Description
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Limiting the number of concurrent open sessions helps limit the risk of DoS attacks. Organizations may define the maximum number of concurrent sessions for system accounts globally or by connection type. By default, the NSX Manager has a protection mechanism in place to prevent the API from being overloaded. This setting also addresses concurrent sessions for integrations into NSX API to monitor or configure NSX. Satisfies: SRG-APP-000435-NDM-000315, SRG-APP-000001-NDM-000200
ℹ️ Check
From an NSX Manager shell, run the following command: > get service http | find limit Expected result: Client API concurrency limit: 40 connections Global API concurrency limit: 199 connections If the NSX does not limit the number of concurrent sessions to an organization-defined number, this is a finding.
✔️ Fix
From an NSX Manager shell, run the following commands: > set service http client-api-concurrency-limit 40 > set service http global-api-concurrency-limit 199 Note: The limit numbers in this example, while not mandatory, are the vendor recommend options. Setting the limits to lower numbers in a large environment that is very busy may cause operational issues. Setting the limits higher may cause resource contention so should be tested and monitored.