13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Juniper SRX SG ALG Security Technical Implementation Guide"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","4"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jun 28, 2019"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Juniper_SRX_SG_ALG_STIG","children":"Juniper_SRX_SG_ALG_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":24}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","network",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"network"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",4]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",20]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20ALG%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20ALG%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Juniper%20SRX%20SG%20ALG%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L1e",null,{"checks":[{"id":"7e1fbbe6-d9a4-4c48-a5c8-b6b2912903e6","vulnId":"V-66003","severity":"medium","ruleTitle":"For User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.","description":"$1f","checkContent":"If user-based firewall policies are not used, this is not applicable.\n\nTo verify the existence of user-based firewall policies, view a summary of all policies configured on the firewall.\n\n[edit]\nshow security policies\n\nIf the source identity is not specified in any policy for a particular zone pair, this is a finding.","fixText":"$20"},{"id":"fe651060-846f-4362-abb6-90069ab663a8","vulnId":"V-66303","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway must generate log records when firewall filters, security screens and security policies are invoked and the traffic is denied or restricted.","description":"Without generating log records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nSecurity objects are data objects which are controlled by security policy and bound to security attributes.\n\nBy default, the Juniper SRX will not forward traffic unless it is explicitly permitted via security policy. Logging for Firewall security-related sources such as screens and security policies must be configured separately. To ensure firewall filters, security screens and security policies send events to a Syslog server and local logs, security logging must be configured one each firewall term.","checkContent":"To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands.\n\nFrom operational mode, enter the following command.\n\nshow firewall log\n\nView the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard).\n\nIf events in the log do not reflect the action taken on the packet, this is a finding.","fixText":"Include the log and/or syslog action in all term to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add \"then log session-close\" to each policy. To get traffic logs from denied sessions, add \"then log session-init\" to the policy.\n\nFirewall filter:\n[edit]\nset firewall family filter term then log\n\nExamples: \nset firewall family inet filter protect_re term tcp-connection then syslog\nset firewall family inet filter protect_re term tcp-connection then log\nset firewall family inet filter ingress-filter-v4 term deny-dscp then log\nset firewall family inet filter ingress-filter-v4 term deny-dscp then syslog\n\nSecurity policy and security screens:\nset security policies from-zone to-zone policy then log\n\nExample:\nset security policies from-zone untrust to-zone trust policy default-deny then log"},{"id":"779b0420-3fab-4762-b654-3c74ad2de079","vulnId":"V-66305","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must generate audit records when unsuccessful attempts to access security zones occur.","description":"Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.\n\nAccess for different security levels maintains separation between resources (particularly stored data) of different security domains.\n\nThe Juniper SRX Firewall implements security zones which are configured with different security policies based on risk and trust levels.","checkContent":"To verify what is logged in the Syslog, view the Syslog server (Syslog server configuration is out of scope for this STIG); however, the reviewer must also verify that packets are being logged to the local log using the following commands.\n\nFrom operational mode, enter the following command.\n\nshow firewall log\n\nView the Action column; the configured action of the term matches the action taken on the packet: A (accept), D (discard).\n\nIf events in the log do not reflect the action taken on the packet, this is a finding.","fixText":"Include the log and/or syslog action in all zone configurations to log attempts to access zones. To get traffic logs from permitted sessions, add \"then log session-close\" to the policy. To get traffic logs from denied sessions, add \"then log session-init\" to the policy.\n\nset security policies from-zone to-zone policy then log\n\nExample:\nset security policies from-zone untrust to-zone trust policy default-deny then log"},{"id":"0611b4d7-719e-4dc0-a33d-1ad7c6af25c1","vulnId":"V-66307","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must be configured to support centralized management and configuration of the audit log.","description":"$21","checkContent":"To verify that traffic logs are being sent to the syslog server, check the syslog server files. \n\nIf traffic logs are not being sent to the syslog server, this is a finding.","fixText":"$22"},{"id":"8e101a9a-f04c-4d73-8007-63b323dea133","vulnId":"V-66309","severity":"medium","ruleTitle":"In the event that communications with the Syslog server is lost, the Juniper SRX Services Gateway must continue to queue traffic log records locally.","description":"$23","checkContent":"Verify logging has been enabled and configured.\n\n[edit] \nshow log match \"RT_FLOW_SESSION\"\n\nIf a local log file or files is not configured to capture \"RT_FLOW_SESSION\" events, this is a finding.","fixText":"The following example commands configure local backup files to capture DoD-defined auditable events. \n\n[edit]\nset system syslog file any info\nset system syslog file match \"RT_FLOW_SESSION \"\n\nExample:\nset system syslog file match \"RT_FLOW_SESSION \""},{"id":"afe84b55-70cb-4fd2-b49b-f1958d233502","vulnId":"V-66311","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.","description":"$24","checkContent":"Review the documentation and architecture for the device.\n\n \nshow system license\n\nIf unneeded services and functions are installed on the device, but are not part of the documented role of the device, this is a finding.","fixText":"Remove unnecessary services and functions. From operational mode, display the licenses available to be deleted; enter the following commands.\n\nrequest system license delete license-identifier-list ?\nrequest system license delete \n\nNote: Only remove unauthorized services. This control is not intended to restrict the use of Juniper SRX devices with multiple authorized roles."},{"id":"fc7bf772-e11e-465d-9af8-e6d2ab3a71a4","vulnId":"V-66313","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must not be configured as an NTP server since providing this network service is unrelated to the role as a firewall.","description":"$25","checkContent":"Check both the zones and the interface stanza to ensure NTP is not configured as a service option.\n\n[edit]\nshow security zones\n\nand, for each interface used, enter:\n\nshow security zones interface \n\nIf NTP is included in any of the zone or interface stanzas, this is a finding.","fixText":"Delete NTP options from zones and interface commands. Re-enter the set security zone command without the \"ntp\" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options.\n\nExamples: \n\n[edit]\nset security zones security-zone interfaces host-inbound-traffic"},{"id":"79556823-f468-4999-93b7-1ce2d13132bb","vulnId":"V-66315","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must not be configured as a DNS proxy since providing this network service is unrelated to the role as a Firewall.","description":"$26","checkContent":"Check both the zones and the interface stanza to ensure DNS proxy server services are not configured.\n\n[edit}\nshow system services dns\n\nIf a stanza exists for DNS (e.g., forwarders option), this is a finding.","fixText":"First, remove the DNS stanza. Then re-enter the set security zones and interfaces command without the \"dns\" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options.\n\nExamples: \n\n[edit]\ndelete system services dns\nset security zones security-zone interfaces host-inbound-traffic"},{"id":"f2965529-1d08-431e-97ee-a7115109cefb","vulnId":"V-66317","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must not be configured as a DHCP server since providing this network service is unrelated to the role as a Firewall.","description":"$27","checkContent":"Check both the zones and the interface stanza to ensure DHCP proxy server services are not configured.\n\n[edit]\nshow system services dhcp\n\nIf a stanza exists for DHCP (e.g., forwarders option), this is a finding.","fixText":"First, remove the DHCP stanza. Then re-enter the set security zones and interfaces command without the \"dhcp\" attribute. The exact command entered depends how the zone is configured with the authorized attributes, services, and options.\n\nExamples: \n\n[edit]\ndelete system services dhcp\nset security zones security-zone interfaces host-inbound-traffic"},{"id":"88f4abf8-c0e3-4a62-86fb-4ca8134c64c1","vulnId":"V-66319","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must be configured to prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services, as defined in the PPSM CAL, vulnerability assessments.","description":"$28","checkContent":"Entering the following commands from the configuration level of the hierarchy.\n\n[edit]\nshow security services\n\nIf functions, ports, protocols, and services identified on the PPSM CAL are not disabled, this is a finding.","fixText":"Ensure functions, ports, protocols, and services identified on the PPSM CAL are not used for system services configuration.\n\n[edit]\nshow security services\n\nCompare the services which are enabled, including the port, services, protocols and functions.\n\nConsult the Juniper knowledge base and configuration guides to determine the commands for disabling each port, protocol, service or function that is not in compliance with the PPSM CAL and vulnerability assessments."},{"id":"a586488c-2a98-4d01-92f9-0934277518bc","vulnId":"V-66321","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must terminate all communications sessions associated with user traffic after 15 minutes or less of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nThis control does not imply that the device terminates all sessions or network access; it only ends the inactive session.\n\nSince many of the inactivity timeouts pre-defined by Junos OS are set to 1800 seconds, an explicit custom setting of 900 must be set for each application used by the DoD implementation. Since a timeout cannot be set directly on the predefined applications, the timeout must be set on the any firewall rule that uses a pre-defined application (i.e., an application that begins with junos-), otherwise the default pre-defined timeout will be used.","checkContent":"Check both the applications and protocols to ensure session inactivity timeout for communications sessions is set to 900 seconds or less.\n\nFirst get a list of security policies, then enter the show details command for each policy-name found.\n\n[edit]\nshow security policies\nshow security policy details\n\nExample:\nApplication: any\n IP protocol: 0, ALG: 0, Inactivity timeout: 0\n\nVerify an activity timeout is configured for either \"any\" application or, at a minimum, the pre-defined applications (i.e., application names starting with junos-).\n\nTo verify locally created applications, first get a list of security policies, then enter the show details command for each policy-name found.\n\n[edit]\nShow applications \nshow applications application \n\nIf an inactivity timeout value of 900 seconds or less is not set for each locally created application and pre-defined applications, this is a finding.","fixText":"Add or update the session inactivity timeout for communications sessions to 900 seconds or less.\n\nExamples: \n[edit]\nset applications application term 1 protocol udp inactivity-timeout 900\nset applications application junos-http inactivity-timeout 900\n\nOr\n\nCreate a service that matches any TCP/UDP:\n[edit]\nset applications application TCP-ALL source-port 1-65535 destination-port 1-65535 protocol tcp inactivity-timeout 900\n\nNote: When pre-defined applications are used in firewall policies, the timeout value must be set in the policy stanza."},{"id":"a16ba86d-cfc2-4046-8eb3-598fa1a2a39a","vulnId":"V-66323","severity":"high","ruleTitle":"The Juniper SRX Services Gateway Firewall providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by implementing statistics-based screens.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n \nJuniper SRX Firewall DoS protections can be configured by either using a Screen or within the global flow options. Screens, also known as IDS-options, block various layer 3 and 4 attacks. Screen objects are configured with various screen-specific options and then assigned to a zone. The Juniper SRX can be configured with Screens to protect against the following statistics-based DoS attacks: IP sweeps, port scans, and flood attacks.","checkContent":"Run the following command to see the screen options currently configured:\n\n[edit]\nshow security screen ids-option\nshow security zone match \"screen\"\n\nIf security screens are not configured or if the security zone is not configured with screen options, this is a finding.","fixText":"$29"},{"id":"736482ca-b66e-4efd-bf70-4c3ffd951c02","vulnId":"V-66325","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must implement load balancing on the perimeter firewall, at a minimum, to limit the effects of known and unknown types of Denial of Service (DoS) attacks on the network.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy, which reduces the susceptibility of the ALG to many DoS attacks.\n\nThis requirement applies to the network traffic functionality of the device as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technologies, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.\n\nThe Juniper SRX provides a number of methods for load balancing the traffic flow. The device can be configured for filter based forwarding, per flow load balancing, per-packet load balancing, or High Availability (HA) using additional hardware. Since the firewall is considered a critical security system, it is imperative that perimeter firewalls, at a minimum, be safeguarded with redundancy measures such as HA.","checkContent":"Since load balancing is a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration.\n\nIf load balancing is not implemented on the perimeter firewall, this is a finding.","fixText":"Consult vendor configuration guides and knowledge base. Implement one or more methods of load balance (e.g., filter based forwarding, per flow load balancing, per-packet load balancing, or High Availability [HA])."},{"id":"5b7149f3-39e9-4f49-a039-990835ac4735","vulnId":"V-66327","severity":"high","ruleTitle":"The Juniper SRX Services Gateway Firewall must protect against known types of Denial of Service (DoS) attacks by implementing signature-based screens.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Installation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks.\n\nJuniper SRX Firewall DoS protections can be configured by either using a Screen or within the global flow options. Screens, also known as IDS-options, block various layer 3 and 4 attacks. Screen objects are configured with various screen-specific options and then assigned to a zone. The Juniper SRX can be configured with Screens to protect against the following signature-based DoS attacks: ICMP based attacks such as ping of death, IP based attacks such as IP spoofing and teardrop, and TCP based attacks such as TCP headers and land.","checkContent":"Run the following command to see the screen options currently configured:\n\n[edit]\nshow security screen ids-option\nshow security zone match \"screen\"\n\nIf security screens are not configured or if the security zone is not configured with screen options, this is a finding.","fixText":"$2a"},{"id":"f8df408e-7421-435f-93a8-ece52980a5de","vulnId":"V-66329","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any Denial of Service (DoS) attacks against other networks or endpoints.","description":"$2b","checkContent":"Obtain and review the list of outbound interfaces and zones. This is usually part of the System Design Specification or Accreditation Package.\n\nReview each of the configured outbound interfaces and zones. Verify zones that communicate outbound have been configured with DoS screens.\n\n[edit]\nshow security zones \n\nIf the zone for the security screen has not been applied to all outbound interfaces, this is a finding.","fixText":"To enable screen protection, the screen profile must be associated with individual security zones using the following command. Recommend assigning \"untrust-screen\" profile name.\n\nApply screen to each outbound interface example:\n\nset security zones security-zone untrust interfaces \nset security zones security-zone trust screen untrust-screen"},{"id":"94e134b7-8f1e-4668-a433-6d004fd62057","vulnId":"V-66331","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.","description":"Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nTraffic enters the Juniper SRX by way of interfaces. Security zones are configured for one or more interfaces with the same security requirements for filtering data packets. A security zone implements a security policy for one or multiple network segments. These policies must be applied to inbound traffic as it crosses the network perimeter and as it crosses internal security domain boundaries.","checkContent":"Obtain and review the list of authorized sources and destinations. This is usually part of the System Design Specification or Accreditation Package.\n\nReview each of the configured security policies in turn.\n\n[edit]\nshow security policies \n\nIf any existing policies allow traffic that is not part of the authorized sources and destinations list, this is a finding.","fixText":"Configure a security policy or screen to each outbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments.\n\nApply security policy a zone example:\n\nset security zones security-zone untrust interfaces ge-0/0/1.0\nset security zones security-zone trust interfaces ge-0/0/2.0\nset security policies from-zone trust to-zone untrust policy default-deny match destination-address any\nset security policies from-zone trust to-zone untrust policy default-deny then deny"},{"id":"a8d4f282-8b2a-4bd3-a3d9-69cea7ebbae5","vulnId":"V-66333","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must be configured to fail securely in the event of an operational failure of the firewall filtering or boundary protection function.","description":"If a boundary protection device fails in an unsecure manner (open), information external to the boundary protection device may enter, or the device may permit unauthorized information release.\n\nSecure failure ensures when a boundary control device fails, all traffic will be subsequently denied.\n\nFail secure is a condition achieved by employing information system mechanisms to ensure in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold.","checkContent":"Request documentation of the architecture and Juniper SRX configuration. Verify the site has configured the SRX to fail closed, thus preventing traffic from flowing through without filtering and inspection.\n\nIf the site has not configured the SRX to fail closed, this is a finding.","fixText":"Implement and configure the Juniper SRX to fail closed, thus preventing traffic from flowing through without filtering and inspection. In case of failure, document a process for the Juniper SRX to be configured to fail closed. Redundancy should be implemented if failing closed has a mission impact."},{"id":"c7c709d1-962f-4671-8bad-86e8e3f979a8","vulnId":"V-66335","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).","description":"A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.\n\nAs a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. A deny all, permit by exception network communications traffic policy ensures that only those connections which are essential and approved, are allowed.\n\nBy default, Junos denies all traffic through an SRX Series device using an implicit default security policy exists that denies all packets. Organizations must configure security policies that permits or redirects traffic in compliance with DoD policies and best practices. Sites must not change the factory-default security policies.","checkContent":"Verify the default-policy has not been changed and is set to deny all traffic.\n\n[edit]\nshow security policies default-policy\n\nIf the default-policy is not set to deny-all, this is a finding.","fixText":"By default, the SRX device will not forward traffic unless it is explicitly permitted via security policy. If the default-policy has been changed, then this must be corrected using the set security policies default-policy command."},{"id":"7f3354f7-b002-43cf-beee-183c1e199bd1","vulnId":"V-66337","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must configure ICMP to meet DoD requirements.","description":"Providing too much information in error messages risks compromising the data and security of the application and system.\n\nOrganizations carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes ICMP messages that reveal the use of firewalls or access-control lists.","checkContent":"Verify ICMP messages are configured to meet DoD requirements.\n\n[edit]\nshow firewall family inet\n\nIf ICMP messages are not configured in compliance with DoD requirements, this is a finding.","fixText":"$2c"},{"id":"ab408c85-b50b-4921-bb0c-ef140bc84441","vulnId":"V-66339","severity":"high","ruleTitle":"The Juniper SRX Services Gateway Firewall must continuously monitor all inbound communications traffic for unusual/unauthorized activities or conditions.","description":"If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nThe Juniper SRX is a highly scalable system which, by default, provides stateful or stateless continuous monitoring when placed in the architecture at either the perimeter or internal boundaries. \n\nUnusual/unauthorized activities or conditions may include unusual use of unusual protocols or ports and attempted communications from trusted zones to external addresses. \n\nInterfaces with identical security requirements can be grouped together into a single security zone. By default, once a security policy is applied to a zone, the Juniper SRX continuously monitors the associated zone for unusual/unauthorized activities or conditions based on the firewall filter or screen associated with that zone.","checkContent":"For each inbound zone, verify a firewall screen or security policy is configured.\n\n[edit]\nshow security zone\nshow security policies\n\nIf communications traffic for each inbound zone is not configured with a firewall screen and/or security policy, this is not a finding.","fixText":"Configure a security policy or screen to each inbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments.\n\nApply policy or screen to a zone example:\n\nset security zones security-zone untrust interfaces ge-0/0/1.0\nset security zones security-zone trust interfaces ge-0/0/2.0\nset security zones security-zone untrust screen untrust-screen\nset security policies from-zone untrust to-zone trust policy default-deny match destination-address any\nset security policies from-zone untrust to-zone trust policy default-deny then deny"},{"id":"f0aabc3a-1ab0-4227-9dec-1c8ab5494061","vulnId":"V-66341","severity":"high","ruleTitle":"The Juniper SRX Services Gateway Firewall must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.","description":"If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nThe Juniper SRX is a highly scalable system which can provide stateful or stateless continuous monitoring when placed in the architecture at either the perimeter or internal boundaries. Unusual/unauthorized activities or conditions may include unusual use of unusual protocols or ports and attempted communications from trusted zones to external addresses.","checkContent":"For each outbound zone, verify a firewall screen or security policy is configured.\n\n[edit]\nshow security zones\nshow security policies\n\nIf communications traffic for each outbound zone is not configured with a firewall screen or security policy, this is not a finding.","fixText":"Configure a security policy or screen to each outbound zone to implement continuous monitoring. The following commands configure a security zone called “untrust” that can be used to apply security policy for inbound interfaces that are connected to untrusted networks. This example assumes that interfaces ge-0/0/1 and ge-0/0/2 are connected to untrusted and trusted network segments.\n\nApply policy or screen to a zone example:\n\nset security zones security-zone untrust interfaces ge-0/0/1.0\nset security zones security-zone trust interfaces ge-0/0/2.0\nset security zones security-zone untrust screen untrust-screen\nset security policies from-zone trust to-zone untrust policy default-deny match destination-address any\nset security policies from-zone trust to-zone untrust policy default-deny then deny"},{"id":"8154eaaf-622e-435e-b270-18ecf8cf26aa","vulnId":"V-66343","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must generate an alert to, at a minimum, the ISSO and ISSM when unusual/unauthorized activities or conditions are detected during continuous monitoring of communications traffic as it traverses inbound or outbound across internal security boundaries.","description":"$2d","checkContent":"For each zone, verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when unusual/unauthorized activities or conditions are detected during continuous monitoring of communications traffic as it traverses inbound or outbound across internal security boundaries. \n\n[edit]\nshow security zones\nshow security polices\n\nIf each inbound and outbound zone policy does not generate an alert that can be forwarded to, at a minimum, the ISSO and ISSM when unusual/unauthorized activities or conditions are detected during continuous monitoring of communications traffic as it traverses inbound or outbound across internal security boundaries, this is a finding.","fixText":"Configure the Juniper SRX to generate and send a notification or log message immediately that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message.\n\nThe following example configures the zone security policy to include the log and/or syslog action in all terms to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add \"then log session-close\" to each policy. To get traffic logs from denied sessions, add \"then log session-init\" to the policy.\n\nSecurity policy and security screens:\nset security policies from-zone to-zone policy then log\n\nExample:\nset security policies from-zone untrust to-zone trust policy default-deny then log session-init"},{"id":"93abb939-98e5-4b47-9f83-059f8bc8e807","vulnId":"V-66345","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must generate an alert that can be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected.","description":"$2e","checkContent":"Obtain the list of threats identified by authoritative sources from the ISSM or ISSO. For each threat, ensure a security policy, screen, or filter that denies or mitigates the threat includes the log or syslog option. Verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected.\n\n[edit]\nshow security zones\nshow security polices\n\nIf an alert is not generated that can be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected, this is a finding.","fixText":"Configure the Juniper SRX to generate and send a notification or log message that can be forwarded via an event monitoring system (e.g., via Syslog configuration, SNMP trap, manned console message, or other events monitoring system). The NSM, Syslog, or SNMP server must then be configured to send the message.\n\nThe following example configures the zone security policy to include the log and/or syslog action in all terms to log packets matching each firewall term to ensure the term results are recorded in the firewall log and Syslog. To get traffic logs from permitted sessions, add \"then log session-close\" to each policy. To get traffic logs from denied sessions, add \"then log session-init\" to the policy.\n\nSecurity policy and security screens:\nset security policies from-zone to-zone policy then log\n\nExample:\nset security policies from-zone untrust to-zone trust policy default-deny then log session-init"},{"id":"ba210b27-fe9a-46b7-b75a-6fbbcbb4baa2","vulnId":"V-66347","severity":"medium","ruleTitle":"The Juniper SRX Services Gateway Firewall must generate an alert that can be forwarded to, at a minimum, the ISSO and ISSM when DoS incidents are detected.","description":"$2f","checkContent":"Verify a security policy with an associated screen that denies or mitigates the threat of DoS attacks includes the log or syslog option. Verify a log event, SNMP trap, or SNMP notification is generated and sent to be forwarded to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources are detected.\n\n[edit]\nshow security zones\nshow security polices\n\nIf an alert is not generated that can be forwarded to, at a minimum, the ISSO and ISSM when DoS incidents are detected, this is a finding.","fixText":"$30"}]}]]}]

Juniper SRX SG ALG Security Technical Implementation Guide

Checks (24)