STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway must generate log records when firewall filters, security screens and security policies are invoked and the traffic is denied or restricted.

DISA Rule

SV-214519r557389_rule

Vulnerability Number

V-214519

Group Title

SRG-NET-000492-ALG-000027

Rule Version

JUSX-AG-000036

Severity

CAT II

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

Include the log and/or syslog action in all term to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add "then log session-close" to each policy. To get traffic logs from denied sessions, add "then log session-init" to the policy.

Firewall filter:
[edit]
set firewall family <family name> filter <filter_name> term <term_name> then log

Examples:
set firewall family inet filter protect_re term tcp-connection then syslog
set firewall family inet filter protect_re term tcp-connection then log
set firewall family inet filter ingress-filter-v4 term deny-dscp then log
set firewall family inet filter ingress-filter-v4 term deny-dscp then syslog

Security policy and security screens:
set security policies from-zone <zone_name> to-zone <zone_name> policy <policy_name> then log

Example:
set security policies from-zone untrust to-zone trust policy default-deny then log

Check Contents

To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands.

From operational mode, enter the following command.

show firewall log

View the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard).

If events in the log do not reflect the action taken on the packet, this is a finding.

Vulnerability Number

V-214519

Documentable

False

Rule Version

JUSX-AG-000036

Severity Override Guidance

To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands.

From operational mode, enter the following command.

show firewall log

View the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard).

If events in the log do not reflect the action taken on the packet, this is a finding.

Check Content Reference

M

Target Key

4004

Comments