STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

DISA Rule

SV-214535r557389_rule

Vulnerability Number

V-214535

Group Title

SRG-NET-000202-ALG-000124

Rule Version

JUSX-AG-000128

Severity

CAT II

CCI(s)

CCI-001109 - The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Weight

Fix Recommendation

By default, the SRX device will not forward traffic unless it is explicitly permitted via security policy. If the default-policy has been changed, then this must be corrected using the set security policies default-policy command.

Check Contents

Verify the default-policy has not been changed and is set to deny all traffic.

[edit]
show security policies default-policy

If the default-policy is not set to deny-all, this is a finding.

Vulnerability Number

V-214535

Documentable

False

Rule Version

JUSX-AG-000128

Severity Override Guidance

Verify the default-policy has not been changed and is set to deny all traffic.

[edit]
show security policies default-policy

If the default-policy is not set to deny-all, this is a finding.

Check Content Reference

Target Key

4004

The Juniper SRX Services Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments