STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-214518r557389_rule
V-214518
SRG-NET-000015-ALG-000016
JUSX-AG-000019
CAT II
10
Configure attribute-based security policies to enforce approved authorizations for logical access to information and system resources using the following commands.
To configure redirection from the SRX Series device to the Access Control Service, from configuration mode, configure the UAC profile for the captive portal <acs-device>.
[edit]
set services unified-access-control captive-portal <acs-device-name> redirect-traffic unauthenticated
Configure the redirection URL for the Access Control Service or a default URL for the captive portal.
[edit]
set services unified-access-control captive-portal acs-device redirect-url https://%ic-url%/?target=%dest-url%&enforcer=%enforcer-id%
This policy specifies the default target and enforcer variables to be used by the Access Control Service to direct the user back after authentication. This ensures that changes to system specifications will not affect configuration results.
Configure a user role firewall policy that redirects HTTP traffic from zone trust to zone untrust if the source-identity is unauthenticated-user. The captive portal profile name is specified as the action to be taken for traffic matching this policy. The following is an example only since there the actual policy is dependent on the architecture of the organization's network.
[edit]
set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-address any
set security policies from-zone trust to-zone untrust policy user-role-fw1 match destination-address any
set security policies from-zone trust to-zone untrust policy user-role-fw1 match application http
set security policies from-zone trust to-zone untrust policy user-role-fw1 match source-identity unauthenticated-user
set security policies from-zone trust to-zone untrust policy user-role-fw1 then permit app
If user-based firewall policies are not used, this is not applicable.
To verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall.
[edit]
show security policies
If the source identity is not specified in any policy for a particular zone pair, this is a finding.
V-214518
False
JUSX-AG-000019
If user-based firewall policies are not used, this is not applicable.
To verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall.
[edit]
show security policies
If the source identity is not specified in any policy for a particular zone pair, this is a finding.
M
4004