STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must not be configured as a DHCP server since providing this network service is unrelated to the role as a Firewall.

DISA Rule

SV-214526r557389_rule

Vulnerability Number

V-214526

Group Title

SRG-NET-000131-ALG-000086

Rule Version

JUSX-AG-000086

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

First, remove the DHCP stanza. Then re-enter the set security zones and interfaces command without the "dhcp" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options.

Examples:

[edit]
delete system services dhcp
set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic

Check Contents

Check both the zones and the interface stanza to ensure DHCP proxy server services are not configured.

[edit]
show system services dhcp

If a stanza exists for DHCP (e.g., forwarders option), this is a finding.

Vulnerability Number

V-214526

Documentable

False

Rule Version

JUSX-AG-000086

Severity Override Guidance

Check both the zones and the interface stanza to ensure DHCP proxy server services are not configured.

[edit]
show system services dhcp

If a stanza exists for DHCP (e.g., forwarders option), this is a finding.

Check Content Reference

M

Target Key

4004

Comments