The NSX Tier-0 Gateway router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-265442 | NT0R-4X-000065 | SV-265442r999916_rule | CCI-002385 | medium |
| Description | ||||
| The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis. | ||||
| STIG | Date | |||
| VMware NSX 4.x Tier-0 Gateway Router Security Technical Implementation Guide | 2024-12-13 | |||
Details
Check Text (C-265442r999916_chk)
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable.
From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu.
Review each Tier-0 Gateway Firewall rule to verify one exists to drop ICMP mask replies.
If a rule does not exist to drop ICMP mask replies, this is a finding.
Fix Text (F-69267r999916_fix)
To configure a shared rule to drop ICMP unreachable messages, do the following:
From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules.
Click "Add Rule" (add a policy first if needed). Under "Services", select the custom service that identifies ICMP mask replies, and then click "Apply".
Enable logging, under the "Applied To" field select the target Tier-0 gateways' external interfaces, and then select "Publish" to enforce the new rule.
Note: A rule can also be created under Gateway Specific Rules to meet this requirement.
Note: A pre-created service for ICMP mask replies does not exist by default and may need created.