STIGQter: STIG Summary: A10 Networks ADC ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.

DISA Rule

SV-237034r639549_rule

Vulnerability Number

V-237034

Group Title

SRG-NET-000088-ALG-000054

Rule Version

AADC-AG-000026

Severity

CAT III

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

Weight

10

Fix Recommendation

The following command enables the device to send an SNMP trap when the health monitor shows the connection to the server is down:
snmp-server enable traps slb server-down

The following command enables the device to send an SNMP trap when the health monitor shows the connection to the server is up:
snmp enable traps slb server-up

The following command creates a health monitor for UDP 514 (the Syslog port):
health monitor [monitor name]
method udp port 514

The following command creates a Server Load Balancing instance and assigns a health monitor to it:
slb server server-name [ipaddr | hostname]
health-check [monitor]

Check Contents

Review the device configuration.

The following command shows the configured Server Load Balancing instances:
show run | sec slb

If no Server Load Balancing instance is configured with a health check to the Syslog server, this is a finding.

The following command shows the device configuration and filters the output on the string "snmp":
show run | inc snmp

This will include which SNMP traps the device is configured to send.

If the output does not include "snmp-server enable traps slb server-down", this is a finding.

Vulnerability Number

V-237034

Documentable

False

Rule Version

AADC-AG-000026

Severity Override Guidance

Review the device configuration.

The following command shows the configured Server Load Balancing instances:
show run | sec slb

If no Server Load Balancing instance is configured with a health check to the Syslog server, this is a finding.

The following command shows the device configuration and filters the output on the string "snmp":
show run | inc snmp

This will include which SNMP traps the device is configured to send.

If the output does not include "snmp-server enable traps slb server-down", this is a finding.

Check Content Reference

M

Target Key

5285

Comments