STIGQter STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.

DISA Rule

SV-214696r385498_rule

Vulnerability Number

V-214696

Group Title

SRG-NET-000147

Rule Version

JUSX-VN-000031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove the no-anti-replay Internet Key Exchange (IKE) option from the VPN configuration. By default the SRX has a replay window of 64 or 32, depending on the platform.

Example:
[edit]
delete security vpn name ike no-anti-replay

Check Contents

Verify anti-replay service is enabled.

[edit]
show security ipsec security-associations index 16384 detail

If anti-replay service is not enabled, this is a finding.

Vulnerability Number

V-214696

Documentable

False

Rule Version

JUSX-VN-000031

Severity Override Guidance

Verify anti-replay service is enabled.

[edit]
show security ipsec security-associations index 16384 detail

If anti-replay service is not enabled, this is a finding.

Check Content Reference

M

Target Key

4009

Comments