STIGQter STIGQter: STIG Summary: Juniper SRX SG ALG Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jul 2019: The Juniper SRX Services Gateway Firewall must continuously monitor all inbound communications traffic for unusual/unauthorized activities or conditions.

DISA Rule

SV-80829r1_rule

Vulnerability Number

V-66339

Group Title

SRG-NET-000390-ALG-000139

Rule Version

JUSX-AG-000144

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure a security policy or screen to each inbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments.

Apply policy or screen to a zone example:

set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny then deny

Check Contents

For each inbound zone, verify a firewall screen or security policy is configured.

[edit]
show security zone
show security policies

If communications traffic for each inbound zone is not configured with a firewall screen and/or security policy, this is not a finding.

Vulnerability Number

V-66339

Documentable

False

Rule Version

JUSX-AG-000144

Severity Override Guidance

For each inbound zone, verify a firewall screen or security policy is configured.

[edit]
show security zone
show security policies

If communications traffic for each inbound zone is not configured with a firewall screen and/or security policy, this is not a finding.

Check Content Reference

M

Target Key

3035

Comments