The Edge SWG must be configured to remove or disable unrelated or unneeded application proxy services.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279180 | SYME-00-005100 | SV-279180r1170629_rule | CCI-000381 | medium |
| Description | ||||
| Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network. Satisfies: SRG-NET-000131-ALG-000086, SRG-NET-000384-ALG-000136 | ||||
| STIG | Date | |||
| Symantec Edge SWG ALG Security Technical Implementation Guide | 2025-12-16 | |||
Details
Check Text (C-279180r1170629_chk)
1. In the Edge SWG Web UI, navigate to Configuration.
2. Go to "Services and Proxy Services".
Under "Proxy Services", if there are more than HTTP, HTTPS, CAC-Mc-Notify, and any other required reverse proxy (e.g. HTTP/2 reverse proxy like H2-Console), this is a finding.
Fix Text (F-83633r1170628_fix)
1. In the Edge SWG Web UI, navigate to Configuration.
2. Go to "Services and Proxy Services".
3. Under "Proxy Services", remove all services like FTP, etc., other than HTTP, HTTPS, CAC-Mc-Notify, and any other required reverse proxy (e.g., HTTP/2 reverse proxy like H2-Console).
4. Only authorized proxy service must be configured for Intercept, and any service not in use must be removed, not just set to Bypass.