| JUSX-DM-000001 - The Juniper SRX Services Gateway must limit the number of concurrent sessions to a maximum of 10 or less for remote access using SSH. | ACCESS CONTROL |
| JUSX-DM-000007 - The Juniper SRX Services Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| JUSX-DM-000015 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account creation events. | ACCESS CONTROL |
| JUSX-DM-000016 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account modification events. | ACCESS CONTROL |
| JUSX-DM-000017 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account disabling events. | ACCESS CONTROL |
| JUSX-DM-000018 - For local accounts created on the device, the Juniper SRX Services Gateway must automatically generate log records for account removal events. | ACCESS CONTROL |
| JUSX-DM-000019 - For local accounts, the Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when local accounts are created. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| JUSX-DM-000020 - The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are modified. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| JUSX-DM-000021 - The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| JUSX-DM-000022 - The Juniper SRX Services Gateway must generate alerts to the management console and generate a log record that can be forwarded to the ISSO and designated system administrators when the local accounts (i.e., the account of last resort or root account) are deleted. | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| JUSX-DM-000023 - The Juniper SRX Services Gateway must automatically generate a log event when accounts are enabled. | ACCESS CONTROL |
| JUSX-DM-000024 - The Juniper SRX Services Gateway must generate an immediate alert message to the management console for account enabling actions. | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| JUSX-DM-000025 - The Juniper SRX Services Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands by assigning a login class to all AAA-authenticated users. | ACCESS CONTROL |
| JUSX-DM-000029 - The Juniper SRX Services Gateway must generate a log event when privileged commands are executed. | ACCESS CONTROL |
| JUSX-DM-000030 - For local accounts created on the device, the Juniper SRX Services Gateway must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. | ACCESS CONTROL |
| JUSX-DM-000032 - The Juniper SRX Services Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access. | ACCESS CONTROL |
| JUSX-DM-000039 - The Juniper SRX Services Gateway must allow only the information system security manager (ISSM) (or administrators/roles appointed by the ISSM) to select which auditable events are to be generated and forwarded to the syslog and/or local logs - or administrators/roles appointed by the ISSM to select which auditable events are to be generated and forwarded to the syslog and/or local logs. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| JUSX-DM-000040 - The Juniper SRX Services Gateway must generate log records when successful attempts to configure the device and use commands occur. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000041 - The Juniper SRX Services Gateway must generate log records when changes are made to administrator privileges. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000042 - The Juniper SRX Services Gateway must generate log records when administrator privileges are deleted. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000043 - The Juniper SRX Services Gateway must generate log records when logon events occur. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000044 - The Juniper SRX Services Gateway must generate log records when privileged commands are executed. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000046 - The Juniper SRX Services Gateway must generate log records when concurrent logons from different workstations occur. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000055 - The Juniper SRX Services Gateway must generate log records containing the full-text recording of privileged commands. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000056 - For local log files, the Juniper SRX Services Gateway must allocate log storage capacity in accordance with organization-defined log record storage requirements so that the log files do not grow to a size that causes operational issues. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000059 - The Juniper SRX Services Gateway must generate an immediate system alert message to the management console when a log processing failure is detected. | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000060 - For local logging, the Juniper SRX Services Gateway must generate a message to the system management console when a log processing failure occurs. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| JUSX-DM-000061 - In the event that communications with the events server is lost, the Juniper SRX Services Gateway must continue to queue log records locally. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| JUSX-DM-000065 - The Juniper SRX Services Gateway must record time stamps for log records using Coordinated Universal Time (UTC). | AUDIT AND ACCOUNTABILITY |
| JUSX-DM-000077 - The Juniper SRX Services Gateway must implement logon roles to ensure only authorized roles are allowed to install software and updates. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000084 - If the loopback interface is used, the Juniper SRX Services Gateway must protect the loopback interface with firewall filters for known attacks that may exploit this interface. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000087 - The Juniper SRX Services Gateway must have the number of rollbacks set to 5 or more. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000094 - The Juniper SRX Services Gateway must be configured to synchronize internal information system clocks with the primary and secondary NTP servers for the network. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000095 - The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000096 - The Juniper SRX Services Gateway must be configured to use an authentication server to centrally apply authentication and logon settings for remote and nonlocal access for device management. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| JUSX-DM-000097 - The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management. | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| JUSX-DM-000098 - The Juniper SRX Services Gateway must specify the order in which authentication servers are used. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000099 - The Juniper SRX Services Gateway must detect the addition of components and issue a priority 1 alert to the ISSM and SA, at a minimum. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000105 - The Juniper SRX Services Gateway must use DOD-approved PKI rather than proprietary or self-signed device certificates. | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-DM-000106 - The Juniper SRX Services Gateway must generate an alarm or send an alert message to the management console when a component failure is detected. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000108 - The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000109 - For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000110 - The Juniper SRX Services Gateway must authenticate NTP servers before establishing a network connection using bidirectional authentication that is cryptographically based. | IDENTIFICATION AND AUTHENTICATION |
| JUSX-DM-000111 - If SNMP is enabled, the Juniper SRX Services Gateway must use and securely configure SNMPv3. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000112 - The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000113 - The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000114 - The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000115 - The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort. | CONFIGURATION MANAGEMENT |
| JUSX-DM-000124 - The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| JUSX-DM-000128 - For local accounts using password authentication (i.e., the root account and the account of last resort), the Juniper SRX Services Gateway must enforce a minimum 15-character password length. | IDENTIFICATION AND AUTHENTICATION |
