STIGQter: STIG Summary: A10 Networks ADC ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.

DISA Rule

SV-237057r639618_rule

Vulnerability Number

V-237057

Group Title

SRG-NET-000401-ALG-000127

Rule Version

AADC-AG-000122

Severity

CAT II

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

The following commands configure the ADC to restrict the HTTP methods:
slb template waf [template-name]
allowed-http-methods GET POST HEAD PUT DELETE CONNECT PURGE

Note: GET and POST are the default values and are the safest choices. Restricting the methods to GET and POST is recommended.

Check Contents

If the ADC is not used to load balance web servers, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers.

Review the device configuration.

The following command displays the configuration and filters the output on the WAF template section:
show run | sec slb template waf

If there is no WAF template, this is a finding.

If the WAF template allows the HTTP TRACE method, this is a finding.

Vulnerability Number

V-237057

Documentable

False

Rule Version

AADC-AG-000122

Severity Override Guidance

If the ADC is not used to load balance web servers, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers.

Review the device configuration.

The following command displays the configuration and filters the output on the WAF template section:
show run | sec slb template waf

If there is no WAF template, this is a finding.

If the WAF template allows the HTTP TRACE method, this is a finding.

Check Content Reference

M

Target Key

5285

Comments