JUEX-RT-000260 - The Juniper router must be configured to log all packets that have been dropped.

Information

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure interface firewall filters to log all deny statements.

All discarding firewall filter terms:
<filter terms and match conditions>
set firewall family inet filter <filter name> term <name> then log
set firewall family inet filter <filter name> term <name> then syslog <<< Minimally must be configured for all discarding filter terms.
set firewall family inet filter <filter name> term <name> then discard

<filter terms and match conditions>
set firewall family inet6 filter <filter name> term <name> then log
set firewall family inet6 filter <filter name> term <name> then syslog <<< Minimally must be configured for all discarding filter terms.
set firewall family inet6 filter <filter name> term <name> then discard

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|III, CCI|CCI-000134, Rule-ID|SV-253998r844027_rule, STIG-ID|JUEX-RT-000260, Vuln-ID|V-253998

Plugin: Juniper

Control ID: b2e7e4a6f3a6d5d44441be8f3d5816de95b98020ed1db1afe0d0aa4b6ba96286