STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide

V-251738

CAT II (Medium)

The NSX-T Tier-0 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure communications with the central audit server.

Rule ID

SV-251738r919225_rule

STIG

VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000140CCI-000162CCI-001844

Discussion

It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Collected log data be secured and access restricted to authorized personnel. Methods of protection may include encryption or logical separation. In accordance with DOD policy, the traffic log must be sent to a central audit server. Ensure at least primary and secondary syslog servers are configured on the firewall. If the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central audit server. This does not apply to traffic logs generated on behalf of the device itself (management). Some devices store traffic logs separately from the system logs. Satisfies: SRG-NET-000089-FW-000019, SRG-NET-000098-FW-000021, SRG-NET-000333-FW-000014

Check Content

From an NSX-T Edge Node shell hosting the Tier-0 Gateway, run the following command(s):

> get logging-servers

If any configured logging-servers are not configured with protocol of "li-tls" or "tls" and level of "info", this is a finding.

If no logging-servers are configured, this is a finding.

Note: This check must be run from each NSX-T Edge Node hosting the Tier-0 Gateway, as they are configured individually.

Fix Text

(Optional) From an NSX-T Edge Gateway shell, run the following command(s) to clear any existing incorrect logging-servers:

> clear logging-servers

From an NSX-T Edge Node shell, run the following command(s) to configure a primary and backup tls syslog server:

> set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem

From an NSX-T Edge Node shell, run the following command(s) to configure a li-tls syslog server:

> set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt

Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /var/vmware/nsx/file-store/ on each NSX-T Edge Gateway appliance.

Note: Configure the syslog or SNMP server to send an alert if the events server is unable to receive events from the NSX-T and also if DoS incidents are detected. This is true if the events server is STIG compliant.