STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.

DISA Rule

SV-214678r385561_rule

Vulnerability Number

V-214678

Group Title

SRG-NET-000512

Rule Version

JUSX-VN-000011

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Allow IKE as a host-inbound service within the security zone associated with the IKE gateway’s external interface configuration. Assuming the use of ge-0/0/0, which is associated with the “untrust” zone, the following is an example of zone configuration.

[edit]
set security zones security-zone untrust host-inbound-traffic system-services ike

Check Contents

Verify a security zone is configured for the VPN Internet Key Exchange (IKE) service.

[edit]
show security zones

If a security zone is not configured for the IKE traffic, this is a finding.

Vulnerability Number

V-214678

Documentable

False

Rule Version

JUSX-VN-000011

Severity Override Guidance

Verify a security zone is configured for the VPN Internet Key Exchange (IKE) service.

[edit]
show security zones

If a security zone is not configured for the IKE traffic, this is a finding.

Check Content Reference

Target Key

4009

If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments