STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-7 (11) — Boundary Protection

CCI-002403

Definition

Only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Parent Control

SC-7 (11)Boundary ProtectionSystem and Communications Protection

Linked STIG Checks (200)

V-237052CAT IIThe A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.A10 Networks ADC ALG Security Technical Implementation Guide V-76455CAT IIKona Site Defender must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-205008CAT IIThe ALG must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.Application Layer Gateway Security Requirements Guide V-217501CAT IIThe Arista Multilayer Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.Arista MLS DCS-7000 Series RTR Security Technical Implementation Guide V-256040CAT IIThe Arista perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256041CAT IIThe Arista perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256042CAT IIIThe Arista perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256043CAT IIThe Arista perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256045CAT IIIThe Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256046CAT IIThe Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256047CAT IIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256060CAT IIThe perimeter router must be configured to block all packets with any IP options.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256061CAT IIThe PE router must be configured to ignore or block all packets with any IP options.Arista MLS EOS 4.2x Router Security Technical Implementation Guide V-256040CAT IIThe Arista perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256041CAT IIThe Arista perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256042CAT IIIThe Arista perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256043CAT IIThe Arista perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256045CAT IIIThe Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256046CAT IIThe Arista multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256047CAT IIThe Arista Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256060CAT IIThe perimeter router must be configured to block all packets with any IP options.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-256061CAT IIThe PE router must be configured to ignore or block all packets with any IP options.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-237401CAT IIThe CA API Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.CA API Gateway ALG Security Technical Implementation Guide V-272076CAT IIThe Cisco ACI must not be configured to have any feature enabled that calls home to the vendor.Cisco ACI Router Security Technical Implementation Guide V-272095CAT IIIThe Cisco ACI multicast must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups and only from sources that have been approved by the organization.Cisco ACI Router Security Technical Implementation Guide V-239865CAT IIThe Cisco ASA must be configured to filter inbound traffic on all external interfaces.Cisco ASA Firewall Security Technical Implementation Guide V-239866CAT IIThe Cisco ASA must be configured to filter outbound traffic on all internal interfaces.Cisco ASA Firewall Security Technical Implementation Guide V-239867CAT IIThe Cisco ASA perimeter firewall must be configured to block all outbound management traffic.Cisco ASA Firewall Security Technical Implementation Guide V-239868CAT IIThe Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel.Cisco ASA Firewall Security Technical Implementation Guide V-216574CAT IIThe Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco IOS Router RTR Security Technical Implementation Guide V-216575CAT IIThe Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Cisco IOS Router RTR Security Technical Implementation Guide V-216584CAT IIIThe Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216585CAT IIIThe Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216586CAT IIThe Cisco perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Cisco IOS Router RTR Security Technical Implementation Guide V-216629CAT IIIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco IOS Router RTR Security Technical Implementation Guide V-216630CAT IIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco IOS Router RTR Security Technical Implementation Guide V-216633CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Cisco IOS Router RTR Security Technical Implementation Guide V-216990CAT IIThe Cisco perimeter router must be configured to block all packets with any IP options.Cisco IOS Router RTR Security Technical Implementation Guide V-216993CAT IIThe Cisco PE router must be configured to drop all packets with any IP options.Cisco IOS Router RTR Security Technical Implementation Guide V-230047CAT IIThe Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.Cisco IOS Router RTR Security Technical Implementation Guide V-230050CAT IIThe Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255.Cisco IOS Router RTR Security Technical Implementation Guide V-230145CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Cisco IOS Router RTR Security Technical Implementation Guide V-230149CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Cisco IOS Router RTR Security Technical Implementation Guide V-230152CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Cisco IOS Router RTR Security Technical Implementation Guide V-230155CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Cisco IOS Router RTR Security Technical Implementation Guide V-230158CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Cisco IOS Router RTR Security Technical Implementation Guide V-220442CAT IIThe Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco IOS Switch RTR Security Technical Implementation Guide V-220443CAT IIThe Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.Cisco IOS Switch RTR Security Technical Implementation Guide V-220449CAT IIIThe Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220450CAT IIIThe Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220451CAT IIThe Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.Cisco IOS Switch RTR Security Technical Implementation Guide V-220464CAT IIIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco IOS Switch RTR Security Technical Implementation Guide V-220465CAT IIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco IOS Switch RTR Security Technical Implementation Guide V-220472CAT IIThe Cisco perimeter switch must be configured to block all packets with any IP options.Cisco IOS Switch RTR Security Technical Implementation Guide V-220473CAT IIThe Cisco PE switch must be configured to ignore or drop all packets with any IP options.Cisco IOS Switch RTR Security Technical Implementation Guide V-237761CAT IIThe Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets.Cisco IOS Switch RTR Security Technical Implementation Guide V-237763CAT IIThe Cisco perimeter switch must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.Cisco IOS Switch RTR Security Technical Implementation Guide V-237765CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Cisco IOS Switch RTR Security Technical Implementation Guide V-237771CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Cisco IOS Switch RTR Security Technical Implementation Guide V-237773CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Cisco IOS Switch RTR Security Technical Implementation Guide V-237775CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Cisco IOS Switch RTR Security Technical Implementation Guide V-237777CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Cisco IOS Switch RTR Security Technical Implementation Guide V-216664CAT IIThe Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216665CAT IIThe Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216674CAT IIIThe Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216675CAT IIIThe Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216676CAT IIThe Cisco perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216724CAT IIIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216725CAT IIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216728CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Cisco IOS XE Router RTR Security Technical Implementation Guide V-216998CAT IIThe Cisco perimeter router must be configured to block all packets with any IP options.Cisco IOS XE Router RTR Security Technical Implementation Guide V-217001CAT IIThe Cisco PE router must be configured to ignore or drop all packets with any IP options.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230048CAT IIThe Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230051CAT IIThe Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230146CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230150CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230153CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230156CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Cisco IOS XE Router RTR Security Technical Implementation Guide V-230159CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Cisco IOS XE Router RTR Security Technical Implementation Guide V-221009CAT IIThe Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221010CAT IIThe Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221015CAT IIThe Cisco perimeter switch must be configured to block all packets with any IP options.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221016CAT IIIThe Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221017CAT IIIThe Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221018CAT IIThe Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221049CAT IIThe Cisco PE switch must be configured to ignore or drop all packets with any IP options.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221060CAT IIIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221061CAT IIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-221064CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237762CAT IIThe Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237764CAT IIThe Cisco perimeter switch must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237766CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237772CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237774CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237776CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-237778CAT IIThe Cisco perimeter switch must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216754CAT IIThe Cisco perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216755CAT IIThe Cisco perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216764CAT IIIThe Cisco perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216765CAT IIIThe Cisco perimeter router must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216766CAT IIThe Cisco perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216814CAT IIIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216815CAT IIThe Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco IOS XR Router RTR Security Technical Implementation Guide V-216818CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Cisco IOS XR Router RTR Security Technical Implementation Guide V-217006CAT IIThe Cisco perimeter router must be configured to block all packets with any IP options.Cisco IOS XR Router RTR Security Technical Implementation Guide V-217009CAT IIThe Cisco PE router must be configured to ignore or block all packets with any IP options.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230049CAT IIThe Cisco perimeter router must be configured to drop IPv6 undetermined transport packets.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230052CAT IIThe Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230147CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230151CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230154CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230157CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Cisco IOS XR Router RTR Security Technical Implementation Guide V-230160CAT IIThe Cisco perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Cisco IOS XR Router RTR Security Technical Implementation Guide V-221078CAT IIThe Cisco switch must not be configured to have any feature enabled that calls home to the vendor.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221089CAT IIThe Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221090CAT IIThe Cisco perimeter switch must be configured to block inbound packets with source Bogon IP address prefixes.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221095CAT IIThe Cisco perimeter switch must be configured to block all packets with any IP options.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221096CAT IIIThe Cisco perimeter switch must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221097CAT IIIThe Cisco perimeter switch must be configured to have Cisco Discovery Protocol (CDP) disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221098CAT IIThe Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221128CAT IIThe Cisco PE switch must be configured to ignore or drop all packets with any IP options.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221138CAT IIIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221139CAT IIThe Cisco multicast Designated switch (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Cisco NX OS Switch RTR Security Technical Implementation Guide V-221142CAT IIThe Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to only accept MSDP packets from known MSDP peers.Cisco NX OS Switch RTR Security Technical Implementation Guide V-269898CAT IIIThe Dell OS10 multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Dell OS10 Switch Router Security Technical Implementation Guide V-269899CAT IIThe Dell OS10 multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Dell OS10 Switch Router Security Technical Implementation Guide V-269927CAT IIThe Dell OS10 Router must not be configured to have any feature enabled that calls home to the vendor.Dell OS10 Switch Router Security Technical Implementation Guide V-214501CAT IIThe BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations.F5 BIG-IP Advanced Firewall Manager Security Technical Implementation Guide V-215794CAT IIThe BIG-IP Core implementation must be configured to only allow incoming communications from authorized sources routed to authorized destinations.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266264CAT IIThe F5 BIG-IP appliance must be configured to filter inbound traffic on all external interfaces.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-266265CAT IIThe F5 BIG-IP appliance must be configured to filter outbound traffic on all internal interfaces.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-266266CAT IIThe F5 BIG-IP appliance must be configured to block all outbound management traffic.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-206703CAT IIThe firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.Firewall Security Requirements Guide V-206704CAT IIThe firewall must apply egress filters to traffic that is outbound from the network through any internal interface.Firewall Security Requirements Guide V-206707CAT IIThe premise firewall (located behind the premise router) must block all outbound management traffic.Firewall Security Requirements Guide V-206708CAT IIThe firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.Firewall Security Requirements Guide V-234152CAT IIThe FortiGate firewall must apply ingress filters to traffic that is inbound to the network through any active external interface.Fortinet FortiGate Firewall Security Technical Implementation Guide V-234153CAT IIThe FortiGate firewall must apply egress filters to traffic outbound from the network through any internal interface.Fortinet FortiGate Firewall Security Technical Implementation Guide V-234154CAT IIWhen employed as a premise firewall, FortiGate must block all outbound management traffic.Fortinet FortiGate Firewall Security Technical Implementation Guide V-234155CAT IIThe FortiGate firewall must restrict traffic entering the VPN tunnels to the management network to only the authorized management packets based on destination address.Fortinet FortiGate Firewall Security Technical Implementation Guide V-66129CAT IIThe HP FlexFabric Switch must only allow incoming communications from authorized sources to be routed to authorized destinations.HP FlexFabric Switch RTR Security Technical Implementation Guide V-266705CAT IIAOS, when configured as a WLAN bridge, must not be configured to have any feature enabled that calls home to the vendor.HPE Aruba Networking AOS Wireless Security Technical Implementation Guide V-65279CAT IIThe DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.IBM DataPower ALG Security Technical Implementation Guide V-65317CAT IIThe DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service.IBM DataPower ALG Security Technical Implementation Guide V-251034CAT IIThe Sentry must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251034CAT IIThe Sentry must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-254000CAT IIThe Juniper router must not be configured to have any feature enabled that calls home to the vendor.Juniper EX Series Switches Router Security Technical Implementation Guide V-254023CAT IIThe Juniper perimeter router must be configured to block all packets with any IP options.Juniper EX Series Switches Router Security Technical Implementation Guide V-254024CAT IIThe Juniper PE router must be configured to ignore or block all packets with any IP options.Juniper EX Series Switches Router Security Technical Implementation Guide V-254045CAT IIThe Juniper perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Juniper EX Series Switches Router Security Technical Implementation Guide V-254046CAT IIThe Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Juniper EX Series Switches Router Security Technical Implementation Guide V-254047CAT IIIThe Juniper perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254048CAT IIThe Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Juniper EX Series Switches Router Security Technical Implementation Guide V-254050CAT IIIThe Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join only multicast groups that have been approved by the organization.Juniper EX Series Switches Router Security Technical Implementation Guide V-254051CAT IIThe Juniper multicast Designated Router (DR) must be configured to filter the IGMP and MLD Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Juniper EX Series Switches Router Security Technical Implementation Guide V-254052CAT IIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Juniper EX Series Switches Router Security Technical Implementation Guide V-254053CAT IIThe Juniper perimeter router must be configured to drop fragmented IPv6 packets where the first fragment does not include the entire IPv6 header chain.Juniper EX Series Switches Router Security Technical Implementation Guide V-254054CAT IIThe Juniper perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.Juniper EX Series Switches Router Security Technical Implementation Guide V-254055CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Juniper EX Series Switches Router Security Technical Implementation Guide V-254056CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Juniper EX Series Switches Router Security Technical Implementation Guide V-254057CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Juniper EX Series Switches Router Security Technical Implementation Guide V-254058CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Juniper EX Series Switches Router Security Technical Implementation Guide V-254059CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Juniper EX Series Switches Router Security Technical Implementation Guide V-217031CAT IIThe Juniper perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Juniper Router RTR Security Technical Implementation Guide V-217032CAT IIThe Juniper perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Juniper Router RTR Security Technical Implementation Guide V-217040CAT IIThe Juniper perimeter router must be configured to block all packets with any IP options.Juniper Router RTR Security Technical Implementation Guide V-217041CAT IIIThe Juniper perimeter router must be configured to have Link Layer Discovery Protocol (LLDP) disabled on all external interfaces.Juniper Router RTR Security Technical Implementation Guide V-217042CAT IIThe Juniper perimeter router must be configured to have Proxy ARP disabled on all external interfaces.Juniper Router RTR Security Technical Implementation Guide V-217078CAT IIThe Juniper PE router must be configured to ignore or block all packets with any IP options.Juniper Router RTR Security Technical Implementation Guide V-217089CAT IIIThe Juniper multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.Juniper Router RTR Security Technical Implementation Guide V-217090CAT IIThe Juniper multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.Juniper Router RTR Security Technical Implementation Guide V-217093CAT IIThe Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to only accept MSDP packets from known MSDP peers.Juniper Router RTR Security Technical Implementation Guide V-233294CAT IIThe Juniper perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3255.Juniper Router RTR Security Technical Implementation Guide V-233295CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop header with invalid option type values.Juniper Router RTR Security Technical Implementation Guide V-233296CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Destination Option header with invalid option type values.Juniper Router RTR Security Technical Implementation Guide V-233297CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing an extension header with the Endpoint Identification option.Juniper Router RTR Security Technical Implementation Guide V-233298CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing the NSAP address option within Destination Option header.Juniper Router RTR Security Technical Implementation Guide V-233299CAT IIThe Juniper perimeter router must be configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type.Juniper Router RTR Security Technical Implementation Guide V-66675CAT IIThe Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.Juniper SRX SG VPN Security Technical Implementation Guide V-214533CAT IIThe Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214694CAT IIThe Juniper SRX Services Gateway VPN must only allow incoming VPN communications from organization-defined authorized sources routed to organization-defined authorized destinations.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-243460CAT IIThe Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.Microsoft Windows PAW Security Technical Implementation Guide V-243215CAT IIThe network device must not be configured to have any feature enabled that calls home to the vendor.Network WLAN AP-IG Platform Security Technical Implementation Guide V-243232CAT IIThe network device must not be configured to have any feature enabled that calls home to the vendor.Network WLAN Bridge Platform Security Technical Implementation Guide V-243238CAT IIThe network device must not be configured to have any feature enabled that calls home to the vendor.Network WLAN Controller Platform Security Technical Implementation Guide V-228862CAT IIThe Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.Palo Alto Networks ALG Security Technical Implementation Guide V-273596CAT IIThe RUCKUS ICX router must not be configured to have any feature enabled that calls home to the vendor.RUCKUS ICX Router Security Technical Implementation Guide V-273642CAT IIThe RUCKUS ICX perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.RUCKUS ICX Router Security Technical Implementation Guide V-273643CAT IIThe RUCKUS ICX perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.RUCKUS ICX Router Security Technical Implementation Guide V-273644CAT IIIThe RUCKUS ICX perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.RUCKUS ICX Router Security Technical Implementation Guide V-273645CAT IIThe RUCKUS ICX perimeter router must be configured to have Proxy ARP disabled on all external interfaces.RUCKUS ICX Router Security Technical Implementation Guide V-273646CAT IIThe RUCKUS ICX perimeter router must be configured to block all outbound management traffic.RUCKUS ICX Router Security Technical Implementation Guide V-273647CAT IIIThe RUCKUS ICX multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.RUCKUS ICX Router Security Technical Implementation Guide V-273648CAT IIThe RUCKUS ICX multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join a multicast group only from sources that have been approved by the organization.RUCKUS ICX Router Security Technical Implementation Guide V-273650CAT IIThe RUCKUS ICX perimeter router must be configured to drop IPv6 undetermined transport packets.RUCKUS ICX Router Security Technical Implementation Guide V-273651CAT IIThe RUCKUS ICX perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3-255.RUCKUS ICX Router Security Technical Implementation Guide V-273652CAT IIThe RUCKUS ICX perimeter router must be configured to drop IPv6 packets containing a hop-by-hop and destination options header with invalid or undefined option type values.RUCKUS ICX Router Security Technical Implementation Guide V-207163CAT IIThe perimeter router must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations.Router Security Requirements Guide V-207164CAT IIThe perimeter router must be configured to block inbound packets with source Bogon IP address prefixes.Router Security Requirements Guide V-207165CAT IIIThe perimeter router must be configured to have Link Layer Discovery Protocols (LLDPs) disabled on all external interfaces.Router Security Requirements Guide