Warning! Audit Deprecated
Information
Logging should be enabled for all firewall policies including the default implicit deny policy.
Rationale:
Firewall policies should log for all traffic (both allow and deny policies). This enables SOC or security analyst to do further investigations on security incidents especially on threat hunting or incident response activities. Although there are many data sources that can provide DNS query logs (AD or EDR), this option should be enabled out of best practice and with assumption that no other data sources are available.
Impact:
By default, when creating firewall policies, a logging option is not enabled. Also, the default implicit deny policy is not logged. This creates a data gap in threat hunting or incident response activities.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Review firewall policies and ensure that:
For allowed policies, 'Log Allowed Traffic' is set on 'All Sessions' option.
For denied policies, 'Log Violation Traffic' is enabled.
Default Value:
Logging is disabled.