SV-221003r622190_rule
V-221003
SRG-NET-000078-RTR-000001
CISC-RT-000200
CAT III
10
Configure ACLs to log packets that are dropped as shown in the example below:
SW1(config)#ip access-list extended INGRESS_FILTER
…
…
…
SW1(config-ext-nacl)#deny ip any any log
Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:
ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply
…
…
…
deny ip any any log
If packets being dropped are not logged, this is a finding.
V-221003
False
CISC-RT-000200
Review all ACLs used to filter traffic and verify that packets being dropped at interfaces via an ACL are logged as shown in the configuration below:
ip access-list extended INGRESS_FILTER
permit tcp any any established
permit tcp host x.11.1.1 eq bgp host x.11.1.2
permit tcp host x.11.1.1 host x.11.1.2 eq bgp
permit tcp any host x.11.1.5 eq www
permit icmp host x.11.1.1 host x.11.1.2 echo
permit icmp any any echo-reply
…
…
…
deny ip any any log
If packets being dropped are not logged, this is a finding.
M
4074