STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.

DISA Rule

SV-214538r557389_rule

Vulnerability Number

V-214538

Group Title

SRG-NET-000391-ALG-000140

Rule Version

JUSX-AG-000145

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure a security policy or screen to each outbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments.

Apply policy or screen to a zone example:

set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security policies from-zone trust to-zone untrust policy default-deny match destination-address any
set security policies from-zone trust to-zone untrust policy default-deny then deny

Check Contents

For each outbound zone, verify a firewall screen or security policy is configured.

[edit]
show security zones
show security policies

If communications traffic for each outbound zone is not configured with a firewall screen or security policy, this is not a finding.

Vulnerability Number

V-214538

Documentable

False

Rule Version

JUSX-AG-000145

Severity Override Guidance

For each outbound zone, verify a firewall screen or security policy is configured.

[edit]
show security zones
show security policies

If communications traffic for each outbound zone is not configured with a firewall screen or security policy, this is not a finding.

Check Content Reference

M

Target Key

4004

Comments