STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Juniper SRX Services Gateway VPN Security Technical Implementation Guide

V-214674

CAT I (High)

The Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher.

Rule ID

SV-214674r1056179_rule

STIG

Juniper SRX Services Gateway VPN Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000068, CCI-004891

Discussion

Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. The DH group selected must have a minimum of a 3072-bit modulus to protect up to TOP SECRET.

Check Content

Verify all IKE proposals are set to use a FIPS-validated dh-group.

[edit]
show security ike <P1-PROPOSAL-NAME>

View the IKE options dh-group option.

If the IKE option is not set to a FIPS 140-2/140-3 validated dh-group, this is a finding.

Fix Text

The following command is an example of how to configure the IKE (phase 1) proposals. 

Example:
[edit]
set security ike proposal <P1-PROPOSAL-NAME> dh-group group19