| JUSX-VN-000001 - The Juniper SRX Services Gateway VPN must limit the number of concurrent sessions for user accounts to one (1) and administrative accounts to three (3), or set to an organization-defined number. | ACCESS CONTROL |
| JUSX-VN-000002 - The Juniper SRX Services Gateway VPN must renegotiate the IPsec security association after 8 hours or less. | ACCESS CONTROL |
| JUSX-VN-000003 - The Juniper SRX Services Gateway VPN must renegotiate the IKE security association after 24 hours or less. | ACCESS CONTROL |
| JUSX-VN-000004 - The Juniper SRX Services Gateway VPN device also fulfills the role of IDPS in the architecture, the device must inspect the VPN traffic in compliance with DoD IDPS requirements. | ACCESS CONTROL |
| JUSX-VN-000005 - The Juniper SRX Services Gateway VPN must use AES encryption for the IPsec proposal to protect the confidentiality of remote access sessions. | ACCESS CONTROL |
| JUSX-VN-000006 - The Juniper SRX Services Gateway VPN must use AES encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions. | ACCESS CONTROL |
| JUSX-VN-000007 - The Juniper SRX Services Gateway VPN must implement a FIPS-140-2 validated Diffie-Hellman (DH) group. | ACCESS CONTROL |
| JUSX-VN-000008 - The Juniper SRX Services Gateway VPN must be configured to use IPsec with SHA1 or greater to negotiate hashing to protect the integrity of remote access sessions. | ACCESS CONTROL |
| JUSX-VN-000009 - The Juniper SRX Services Gateway VPN must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | ACCESS CONTROL |
| JUSX-VN-000010 - The Juniper SRX Services Gateway VPN must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs). | CONFIGURATION MANAGEMENT |
| JUSX-VN-000011 - If IDPS inspection is performed separately from the Juniper SRX Services Gateway VPN device, the VPN must route sessions to an IDPS for inspection. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000012 - The Juniper SRX Services Gateway VPN must not accept certificates that have been revoked when using PKI for authentication. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000013 - The Juniper SRX Services Gateway VPN must specify Perfect Forward Secrecy (PFS). | CONFIGURATION MANAGEMENT |
| JUSX-VN-000014 - The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000015 - The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000016 - The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000017 - The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | CONFIGURATION MANAGEMENT |
| JUSX-VN-000018 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | IDENTIFICATION AND AUTHENTICATION |
| JUSX-VN-000019 - The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts. | IDENTIFICATION AND AUTHENTICATION |
| JUSX-VN-000020 - The Juniper SRX Services Gateway VPN must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module. | IDENTIFICATION AND AUTHENTICATION |
| JUSX-VN-000021 - The Juniper SRX Services Gateway VPN must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | IDENTIFICATION AND AUTHENTICATION |
| JUSX-VN-000022 - The Juniper SRX Services Gateway VPN must terminate all network connections associated with a communications session at the end of the session. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000023 - The Juniper SRX Services Gateway VPN Internet Key Exchange (IKE) must use cryptography that is compliant with Suite B parameters when transporting classified traffic across an unclassified network. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000024 - The Juniper SRX Services Gateway VPN IKE must use NIST FIPS-validated cryptography to implement encryption services for unclassified VPN traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000025 - The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000026 - The Juniper SRX Services Gateway VPN must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000027 - The Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000028 - The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs. | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUSX-VN-000031 - The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations. | IDENTIFICATION AND AUTHENTICATION |
