| V-251761 | | The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish what type of events occurred. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |
| V-251763 | | Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records. | It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure, secur... |
| V-251764 | | The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. | DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performanc... |
| V-251765 | | The NSX-T Tier-1 Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). | To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such ... |
| V-251766 | | The NSX-T Tier-1 Gateway Firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries. | Without the ability to centrally manage the content captured in the traffic log entries, identification, troubleshooting, and correlation of suspiciou... |
| V-251767 | | The NSX-T Tier-1 Gateway Firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning. | Not configuring a key boundary security protection device such as the firewall, against commonly known attacks is an immediate threat to the protected... |
| V-251768 | | The NSX-T Tier-1 Gateway Firewall must apply ingress filters to traffic that is inbound to the network through any active external interface. | Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additiona... |
| V-251769 | | The NSX-T Tier-1 Gateway Firewall must configure SpoofGuard to block outbound IP packets that contain illegitimate packet attributes. | If outbound communications traffic is not filtered, hostile activity intended to harm other networks may not be detected and prevented.... |
| V-251762 | | The NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event. | Without sufficient information to analyze the event, it would be difficult to establish, correlate, and investigate the events leading up to an outage... |
