The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) unreachable notifications disabled on all external interfaces.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-265441 | SRG-NET-000362-RTR-000113 | NT0R-4X-000064 | SV-265441r999915_rule | 2024-12-13 | 1 |
| Description |
|---|
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis. |
| ℹ️ Check |
|---|
| If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP unreachable messages. If a rule does not exist to drop ICMP unreachable messages, this is a finding. |
| ✔️ Fix |
|---|
| To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first, if needed) and under "Services", select "ICMP Destination Unreachable" and "Apply". Enable logging and under the "Applied To" field select the target Tier-0 gateways and click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement. |