DISA STIG Cisco ASA FW v2r1

Audit Details

Name: DISA STIG Cisco ASA FW v2r1

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Cisco

Revision: 1.0

Estimated Item Count: 57

File Details

Filename: DISA_STIG_Cisco_ASA_FW_v2r1.audit

Size: 163 kB

MD5: f054903faee7f308058dd2a2f4182808
SHA256: 59ca5cc0f4ed7c43c173dfaa0eafd7b194b5ac72cea3717e46cd10b2d933fac2

Audit Items

DescriptionCategories
CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services - ACL Applied

ACCESS CONTROL

CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services - ingress ACL

ACCESS CONTROL

CASA-FW-000020 - The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.

ACCESS CONTROL

CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules - VPN Group Policy

ACCESS CONTROL

CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules - VPN Rules

ACCESS CONTROL

CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Log Parameters

AUDIT AND ACCOUNTABILITY

CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Logging Enabled

AUDIT AND ACCOUNTABILITY

CASA-FW-000050 - The Cisco ASA must be configured to generate traffic log entries containing information to establish when (date and time) the events occurred.

AUDIT AND ACCOUNTABILITY

CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - Buffer Enabled

AUDIT AND ACCOUNTABILITY

CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - Queue

AUDIT AND ACCOUNTABILITY

CASA-FW-000100 - The Cisco ASA must be configured to use TCP when sending log records to the central audit server - Logging Host

CONFIGURATION MANAGEMENT

CASA-FW-000100 - The Cisco ASA must be configured to use TCP when sending log records to the central audit server - Logging Permit-hostdown

CONFIGURATION MANAGEMENT

CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - HTTP

CONFIGURATION MANAGEMENT

CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - Telnet

CONFIGURATION MANAGEMENT

CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000170 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000170 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments - Interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000200 - The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis - Logging Host

CONFIGURATION MANAGEMENT

CASA-FW-000200 - The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis - Trap Notification

CONFIGURATION MANAGEMENT

CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-address

AUDIT AND ACCOUNTABILITY

CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Logging Errors

AUDIT AND ACCOUNTABILITY

CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Recipient-address

AUDIT AND ACCOUNTABILITY

CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Severity

AUDIT AND ACCOUNTABILITY

CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - smtp

AUDIT AND ACCOUNTABILITY

CASA-FW-000220 - The Cisco ASA must be configured to implement scanning threat detection.

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - Interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - Interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic - Interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - ACL

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - authentication

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - crypto ipsec

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - encryption

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - group

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - hash sha

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - inside interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - lifetime

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - match address

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - outside interface

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set ikev1

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set lifetime

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set peer

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - tunnel-group

SYSTEM AND COMMUNICATIONS PROTECTION

CASA-FW-000270 - The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.

CONFIGURATION MANAGEMENT

CASA-FW-000280 - The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.

CONFIGURATION MANAGEMENT

CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - ACL

CONFIGURATION MANAGEMENT

CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - network-object

CONFIGURATION MANAGEMENT

CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - URF

CONFIGURATION MANAGEMENT