STIGQter: STIG Summary: Juniper SRX Services Gateway ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.

DISA Rule

SV-214536r557389_rule

Vulnerability Number

V-214536

Group Title

SRG-NET-000273-ALG-000129

Rule Version

JUSX-AG-000132

Severity

CAT II

CCI(s)

CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

Fix Recommendation

Configure ICMP to meet DoD requirements. The following is an example which uses the filter name "protect_re" as the filter name with pre-configured address books (source-prefix-lists).

[edit]
set firewall family inet filter protect_re term permit-icmp from source-prefix-list ssh-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list bgp-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list loopback-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list local-addresses
set firewall family inet filter protect_re term permit-icmp from source-prefix-list ixiav4
set firewall family inet filter protect_re term permit-icmp from icmp-type echo-request
set firewall family inet filter protect_re term permit-icmp from icmp-type echo-reply
set firewall family inet filter protect_re term permit-icmp then log
set firewall family inet filter protect_re term permit-icmp then syslog
set firewall family inet filter protect_re term permit-icmp then accept
set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighboradvertisement
set firewall family inet6 filter protect_re-v6 term permit-ar from icmp-type neighborsolicit
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighboradvertisement
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type neighborsolicit
set firewall family inet6 filter ingress-v6 term permit-ar from icmp-type 134
set firewall family inet6 filter ingress-v6 term permit-ar then accept
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighboradvertisement
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type neighbor-solicit
set firewall family inet6 filter egress-v6 term permit-lr from icmp-type 134
set firewall family inet6 filter egress-v6 term permit-lr then accept

Check Contents

Verify ICMP messages are configured to meet DoD requirements.

[edit]
show firewall family inet

If ICMP messages are not configured in compliance with DoD requirements, this is a finding.

Vulnerability Number

V-214536

Documentable

False

Rule Version

JUSX-AG-000132

Severity Override Guidance

Verify ICMP messages are configured to meet DoD requirements.

[edit]
show firewall family inet

If ICMP messages are not configured in compliance with DoD requirements, this is a finding.

Check Content Reference

Target Key

4004

The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments