STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must terminate all communications sessions associated with user traffic after 15 minutes or less of inactivity.

DISA Rule

SV-214528r557389_rule

Vulnerability Number

V-214528

Group Title

SRG-NET-000213-ALG-000107

Rule Version

JUSX-AG-000105

Severity

CAT II

CCI(s)

• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Add or update the session inactivity timeout for communications sessions to 900 seconds or less.

Examples:
[edit]
set applications application <application-name> term 1 protocol udp inactivity-timeout 900
set applications application junos-http inactivity-timeout 900

Or

Create a service that matches any TCP/UDP:
[edit]
set applications application TCP-ALL source-port 1-65535 destination-port 1-65535 protocol tcp inactivity-timeout 900

Note: When pre-defined applications are used in firewall policies, the timeout value must be set in the policy stanza.

Check Contents

Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less.

First get a list of security policies, then enter the show details command for each policy-name found.

[edit]
show security policies
show security policy <policy-name> details

Example:
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0

Verify an activity timeout is configured for either "any" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-).

To verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found.

[edit]
Show applications
show applications application <application-name>

If an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.

Vulnerability Number

V-214528

Documentable

False

Rule Version

JUSX-AG-000105

Severity Override Guidance

Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less.

First get a list of security policies, then enter the show details command for each policy-name found.

[edit]
show security policies
show security policy <policy-name> details

Example:
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0

Verify an activity timeout is configured for either "any" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-).

To verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found.

[edit]
Show applications
show applications application <application-name>

If an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.

Check Content Reference

M

Target Key

4004

Comments