17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Symantec ProxySG ALG Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Mar 27, 2020"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Symantec_ProxySG_ALG_STIG","children":"Symantec_ProxySG_ALG_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":66}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",9]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",57]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Symantec%20ProxySG%20ALG%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Symantec%20ProxySG%20ALG%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Symantec%20ProxySG%20ALG%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SYM_ProxySG_Y20M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"70d2b63c-e066-406a-89f2-933565f3ff06","vulnId":"V-94217","severity":"medium","ruleTitle":"If Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured.","description":"Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities.\n\nRemote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications.","checkContent":"The ProxySG is designed to monitor and control inbound traffic when in a reverse proxy configuration. Verify this is configured.\n\n1. Verify with the ProxySG administrator that reverse proxy services are configured. \n2. Log on to the Web Management Console. \n3. Click Configuration >> Services >> Proxy Services. \n4. Review each reverse proxy service identified by the administrator and Verify that all organizational services are represented by an HTTP or HTTPS proxy service in the configuration.\n\nIf Symantec ProxySG filters externally initiated traffic but reverse proxy services are not configured, this is a finding.","fixText":"Configure the ProxySG to monitor and control inbound traffic by configuring reverse proxy services. This provides SSL proxy in reverse proxy mode.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Services >> Proxy Services. \n3. Click \"New Service\".\n4. Enter information into the various service boxes in accordance with site architecture, operational requirements, and SSP requirements for which web servers are to be monitored and controlled."},{"id":"c3af3128-4c77-4f77-8a3b-639a15403950","vulnId":"V-94219","severity":"medium","ruleTitle":"Symantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies.","description":"Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities.\n\nRemote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic.","checkContent":"Verify the ProxySG is configured to inspect internally initiated traffic.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, verify that at least one SSL Access Layer (transparent proxy architectures) or Web Access Layer (explicit proxy architectures) is configured.\n\nIf the ProxySG is not configured to inspect internally initiated traffic, this is a finding.","fixText":"Configure the ProxySG to inspect internally initiated traffic.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager.\n3. Click \"Launch\". While in the Visual Policy Manager, click Policy >> Add SSL Access Layer (transparent proxy architectures) or Add Web Access Layer (explicit proxy architectures).\n4. Click File >> Install Policy on SG Appliance."},{"id":"7cda21af-cbe7-420c-9e22-f02437424d79","vulnId":"V-94221","severity":"high","ruleTitle":"Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52.","description":"SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance.\n\nNIST SP 800-52 sets TLS version 1.1 as a minimum version; therefore, all versions of SSL are not allowed (including for client negotiation) either on DoD-only or public-facing servers.","checkContent":"Verify that TLS forward proxy intermediary services are configured to comply with NIST 800-52 TLS settings.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, for each SSL Access Layer that is configured, Verify there is a rule with an action set to \"Deny\" that also has \"Source\" and \"Destination\" fields that contain restricted SSL/TLS protocols and ciphers.\n\nIf Symantec ProxySG providing forward proxy intermediary services for TLS is not configured to comply with the required TLS settings in NIST SP 800-52, this is a finding.","fixText":"$23"},{"id":"edf68133-0d10-469c-a1de-2ad565b23ca8","vulnId":"V-94223","severity":"medium","ruleTitle":"Symantec ProxySG providing reverse proxy intermediary services for TLS must be configured to version 1.1 or higher with an approved cipher suite.","description":"SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance.","checkContent":"Verify that TLS reverse proxy intermediary services are configured to comply with NIST 800-52 TLS settings.\n\n1. Verify with the ProxySG administrator that reverse proxy services are configured. \n2. Log on to the Web Management Console. \n3. Click Configuration >> Services >> Proxy Services. \n4. For each reverse proxy service identified by the administrator, click \"Edit Service\" and Verify that only NIST SP 800-52-approved SSL protocols are enabled.\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > Services >> Proxy Services. \n4. For each reverse proxy service configured, click \"Edit Service\" and select only NIST-SP 800-52-approved SSL protocols. Click \"Apply\".\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > SSL >> HSM. \n3. Click the \"HSM\" and \"HSM Keyring\" tabs and Verify that these options have been configured.\n4. Verify with the ProxySG administrator that the HSM specified is FIPS 140-2 compliant.\n5. Click Configuration >> Proxy Settings >> SSL Proxy.\n6. Verify that the Issuer Keyring is set to the HSM Keyring from step 3.\n\nIf Symantec ProxySG storing secret or private keys does not use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys, this is a finding.","fixText":"As long as the FIPS-compliant suite is configured for use and configured in compliance with the FIPS cert manual requirements, key management should be in compliance using the following instructions.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> SSL >> HSM. \n3. Click the \"HSM\" and \"HSM Keyring\" tabs and configure these options per the guidance in the ProxySG Administration Guide, Chapter 9: Managing the SSL Proxy, Section G: Working with an HSM Appliance.\n4. Click Configuration >> Proxy Settings >> SSL Proxy.\n5. Select the HSM Keyring in the Issuer Keyring field and click \"Apply\".\n\nNote: As long as the FIPS-compliant suite is being used and configured in compliance with the FIPS cert manual requirements, key management should be in compliance as part of this."},{"id":"2b16a2a7-7443-4b92-a15c-37f956d46654","vulnId":"V-94227","severity":"high","ruleTitle":"Symantec ProxySG must implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.","description":"$24","checkContent":"Obtain the SSP with the site's security policy. Verify that identity-based, role-based, and/or attribute-based authorization is configured for access to proxied websites. Verify that security policies and rules are configured and applied.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each rule within each Web Access Layer, verify that the \"Source\" column for each rule contains something other than \"any\" (any is the default value). Verify that rules comply with the site's security policy.\n\nIf Symantec ProxySG does not implement security policies that enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies, this is a finding.","fixText":"Obtain the SSP with the site's security policy. Configure the ProxySG to enforce approved authorizations by employing identity-based, role-based, and/or attribute-based authorization for access to proxied websites.\n\n1. Log on to the web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each Web Access Layer that is configured, right-click the \"Source\" of each column and click \"Set\".\n5. Select the users, groups, roles, and attributes as required by the site's security policy.\n6. Click File >> Install Policy on SG Appliance."},{"id":"331200d4-4768-4b8b-90e9-ef22c33aebd6","vulnId":"V-94229","severity":"high","ruleTitle":"Symantec ProxySG must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.","description":"$25","checkContent":"Verify that ProxySG inspects web traffic for suspicious or harmful traffic. Verify the destination security policy is configured to filter based on destination, headers, geolocation, protocol characteristics, and other available security objects.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, click in to each Web Access and SSL Access Layer.\n4. Within each layer above, review each rule and verify that the \"Destination\" fields are not set to \"Any\" and that they contain URL categories and/or threat risk levels that should be blocked per the organization's security policy.\n\nIf Symantec ProxySG does not restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.","fixText":"Configure ProxySG to restrict access to suspicious or harmful web traffic. Destination security policy must be configured to filter based on destination, headers, geolocation, protocol characteristics, and other available security objects.\n\n1. Log on to the web Management Console.\n2. Click Configuration >> Content Filtering.\n3. Under \"General,\" ensure that at least one \"Provider\" is enabled.\n4. Click Configuration >> Visual Policy Manager. \n5. Click \"Launch\". While in the Visual Policy Manager, click into each Web Access and SSL Access Layer.\n6. Within each layer above, right-click the \"Destination\" fields of each rule, click \"set\", and specify URL categories and/or threat risk levels that should be blocked per the organization's security policy.\n7. Click File >> Install Policy on SG Appliance."},{"id":"ca889285-c4da-458b-b668-31f12a9e2348","vulnId":"V-94231","severity":"medium","ruleTitle":"Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.","description":"$26","checkContent":"Obtain the SSP with the site's security policy. Verify that identity-based, role-based, and/or attribute-based authorization is configured for access to proxied websites. Verify that security policies and rules are configured and applied.\n\n1. Log on to the web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each rule within each Web Access Layer, verify that the \"Source\" column for each rule contains something other than \"any\" (any is the default value). Rules must be verified as being compliant with the site's security policy.\n\nIf Symantec ProxySG does not enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.","fixText":"Obtain the SSP with the site's security policy. Configure the ProxySG to enforce approved authorizations by employing identity-based, role-based, and/or attribute-based authorization for access to proxied websites.\n\n1. Log on to the web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each Web Access Layer that is configured, right-click the \"Source\" of each column and click \"Set\".\n5. Select objects based on traffic attributes, content, source, or headers as required by the site's security policy.\n6. For each Web Access Layer that is configured, right-click the \"Destination\" of each column and click \"Set\".\n7. Select objects based on traffic attributes, content, destination, or headers as required by the site's security policy.\n8. Click File >> Install Policy on SG Appliance."},{"id":"dac36f82-546a-45e3-bcaf-92075969dfda","vulnId":"V-94233","severity":"medium","ruleTitle":"Symantec ProxySG must immediately use updates made to policy enforcement mechanisms such as policies and rules.","description":"$27","checkContent":"Verify that ProxySG is configured to restrict access to suspicious or harmful communications.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, click into each Web Access and SSL Access Layer.\n4. Within each layer above, review each rule and verify that the \"Destination\" fields are not set to \"Any\" and that they contain URL categories and/or threat risk levels that should be blocked per the organization's security policy.\n\nIf Symantec ProxySG does not immediately use updates made to policy enforcement mechanisms such as policies and rules, this is a finding.","fixText":"Configure ProxySG to restrict access to suspicious or harmful communications.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Content Filtering.\n3. Under \"General,\" verify that at least one \"Provider\" is enabled.\n4. Click Configuration >> Visual Policy Manager. \n5. Click \"Launch\". While in the Visual Policy Manager, click into each Web Access and SSL Access Layer.\n6. Within each layer above, right-click the \"Destination\" fields of each rule, click \"set\", and specify URL categories and/or threat risk levels that should be blocked per the organization's security policy.\n7. Click File >> Install Policy on SG Appliance."},{"id":"a9bc86bb-a4de-46a6-95c8-c8f6ff52e894","vulnId":"V-94235","severity":"medium","ruleTitle":"Symantec ProxySG providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network.","description":"$28","checkContent":"Verify that the Standard Mandatory DoD Banner is configured.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, ensure that the first Web Access Layer (furthest left) contains a single rule with a \"Notify User\" Action that contains the DoD banner text.\n4. Right-click the \"Notify User\" action, select \"Edit\", and verify that the correct banner is specified in the \"Body\" field.\n5. Verify the banner contains the exact DoD text.\n\n\nIf Symantec ProxySG providing user access control intermediary services does not display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network, this is a finding.","fixText":"Configure the Standard Mandatory DoD Banner to be displayed.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, create a new Web Access Layer, positioned in front (farthest left) of all other existing Web Access Layers and perform the following:\ni. Click \"edit\" and select \"add rule\". \nii. Right-click the \"Actions\" field of the new rule and select \"set\". Click \"New\" and select \"NotifyUser\" from the list and click \"OK\".\niii. Input the correct banner text in the \"Body\" field and click \"OK\".\niv. Click File >> Install Policy on SG Appliance."},{"id":"2485da49-6d82-4310-9839-cd146b1ac92f","vulnId":"V-94237","severity":"medium","ruleTitle":"Symantec ProxySG providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.","description":"$29","checkContent":"Verify that the Standard Mandatory DoD Banner is configured.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, select each Web Access Layer that is configured and verify there is at least one rule containing a \"Notify User\" Action that contains the DoD banner text.\n4. Right-click the \"Notify User\" action, select \"Edit\", and verify that the correct banner is specified in the \"Body\" field.\n5. Verify the banner contains the exact DoD text.\n\nIf Symantec ProxySG providing user access control intermediary services for publicly accessible applications does not display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system, this is a finding.","fixText":"$2a"},{"id":"4b2644a6-343a-4006-a757-59326a284d2e","vulnId":"V-94239","severity":"medium","ruleTitle":"Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful logon attempts occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify that the ProxySG is configured to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management console.\n2. Browse to \"Configuration\" and Click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value other than \"none\" in the \"Track\" column.\n\nIf Symantec ProxySG providing user access control intermediary services does not generate audit records when successful/unsuccessful logon attempts occur, this is a finding.","fixText":"Configure the ProxySG to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access and Web Authentication Layer, right-click the \"Track\" column for each rule and select \"Set\". Click \"New\" and select \"Event Log\"."},{"id":"ae62cc4b-7339-4409-bbec-55c8ec3ff943","vulnId":"V-94241","severity":"medium","ruleTitle":"Symantec ProxySG providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThis requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).","checkContent":"Verify that the ProxySG is configured to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value other than \"none\" in the \"Track\" column.\n\nIf Symantec ProxySG providing user access control intermediary services does not generate audit records showing starting and ending time for user access to the system, this is a finding.","fixText":"Configure the ProxySG to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access and Web Authentication Layer, right-click the \"Track\" column for each rule and select \"Set\". Click \"New\" and select \"Event Log\"."},{"id":"2868c61d-918c-47d9-9f6b-6e2b7dcd2589","vulnId":"V-94243","severity":"medium","ruleTitle":"Symantec ProxySG providing user access control intermediary services must generate audit records when successful/unsuccessful attempts to access web resources occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects that are controlled by security policy and bound to security attributes.\n\nThis requirement applies to the ALG traffic management functions such as content filtering or intermediary services. This does not apply to audit logs generated on behalf of the device (device management).","checkContent":"Verify that the ProxySG is configured to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value other than \"none\" in the \"Track\" column.\n\nIf Symantec ProxySG providing user access control intermediary services does not generate audit records when successful/unsuccessful attempts to access web resources occur, this is a finding.","fixText":"Configure the ProxySG to generate alerts for successful/unsuccessful logon attempts.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access and Web Authentication Layer, right-click the \"Track\" column for each rule and select \"Set\". Click \"New\" and select \"Event Log\"."},{"id":"75693b06-5a4b-41a8-9b51-7913ee0a6cdf","vulnId":"V-94245","severity":"medium","ruleTitle":"Symantec ProxySG must produce audit records containing information to establish what type of events occurred.","description":"Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the gateway logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify the ProxySG is configured to log user web traffic for auditing that includes the event type.\n\n1. Log on to the Web Management console.\n2. Browse to \"Configuration\" and click \"Access Logging. Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General,\" and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Review the log format string and verify that at least the following variables are included:\n cs-method\n cs-protocol\n cs-uri-scheme\n cs-uri-path\n cs-uri-query\n sc-status\n s-action\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes the event type.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Check \"Enable Access Logging\" and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the following variables:\n cs-method\n cs-protocol\n cs-uri-scheme\n cs-uri-path\n cs-uri-query\n sc-status\n s-action\n6. Click OK >> Apply."},{"id":"15098c64-f36e-4d43-9e47-2f61cf93677b","vulnId":"V-94247","severity":"medium","ruleTitle":"Symantec ProxySG must produce audit records containing information to establish when (date and time) the events occurred.","description":"Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn order to compile an accurate risk assessment and provide forensic analysis of network traffic patterns, it is essential for security personnel to know when flow control events occurred within the infrastructure.\n\nAssociating event types with detected events in the network audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing that includes the date/time of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General,\" and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Review the log format string and verify that the \"date\" and \"time\" variables are included.\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes the date/time of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Check \"Enable Access Logging\" and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the \"date\" and \"time\" variables.\n6. Click OK >> Apply."},{"id":"f11f7bae-3afe-4f3d-a0dc-6d5ab5df4d2c","vulnId":"V-94249","severity":"medium","ruleTitle":"Symantec ProxySG must produce audit records containing information to establish where the events occurred.","description":"Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.\n\nIn order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as network element components, modules, device identifiers, node names, and functionality.\n\nAssociating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing that includes where the event occurred.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Review the log format string and verify that at least the following variables are included:\n c-ip\n r-ip\n s-ip\n s-supplier-country\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes where the event occurred.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\", click \"Access Logging\", check \"Enable Access Logging\", and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats\", select the \"Default Log\" from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the following variables:\n c-ip\n r-ip\n s-ip\n s-supplier-country\n6. Click OK >> Apply."},{"id":"e50e3750-62a8-44aa-aad8-0989a611f2ae","vulnId":"V-94251","severity":"medium","ruleTitle":"Symantec ProxySG must produce audit records containing information to establish the source of the events.","description":"Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event.\n\nIn addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing that includes the source of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats\", select the \"Default Log\" from step 3, and click \"Edit/View\".\n5. Review the log format string and verify that at least the \"c-ip\" variable is included.\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes the source of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check \"Enable Access Logging\" and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the \"c-ip\" variable.\n6. Click OK >> Apply."},{"id":"0406e330-77e7-4472-ac4f-7efd97b20ebc","vulnId":"V-94253","severity":"medium","ruleTitle":"Symantec ProxySG must produce audit records containing information to establish the outcome of the events.","description":"Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the network.\n\nEvent outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the network after the event occurred). They also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing that includes information about the outcome of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats\", select the Default Log from step 3, and click \"Edit/View\".\n5. Review the log format string and verify that at least the following variables are included:\n s-action\n rs-response-line\n rs-status\n sc-status\n x-exception-reason\n duration\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes information about the outcome of the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check \"Enable Access Logging\" and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats\", select the Default Log from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the following variables:\n s-action\n rs-response-line\n rs-status\n sc-status\n x-exception-reason\n duration\n6. Click OK >> Apply."},{"id":"981ee8e7-8ae6-453e-b0a3-837dc4c22342","vulnId":"V-94255","severity":"medium","ruleTitle":"Symantec ProxySG must generate audit records containing information to establish the identity of any individual or process associated with the event.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.\n\nAssociating information about where the event occurred within the network provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing, which includes information to establish the identity of any individual or process associated with the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Browse to \"Access Logging\", click \"General\", and note which \"Default Log\" is indicated for the HTTP protocol (\"main\" by default).\n4. Click \"Formats\", select the Default Log from step 3 and click \"Edit/View\".\n5. Review the log format string and verify that at least the \"c-ip\" and \"cs-username\" variables are included.\n\nIf Access Logging is not enabled and/or the specified log variables are not included, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing that includes information to establish the identity of any individual or process associated with the event.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Check \"Enable Access Logging\" and click \"Apply\".\n3. Browse to \"Access Logging\", click \"General\", and note which Default Log is indicated for the \"HTTP\" protocol (\"main\" by default).\n4. Click \"Formats,\" select the Default Log from step 3, and click \"Edit/View\".\n5. Edit the log format string to include at least the \"c-ip\" and \"cs-username\" variables.\n6. Click OK >> Apply."},{"id":"caa399ca-a5f1-4069-b50a-adbce45a7121","vulnId":"V-94257","severity":"medium","ruleTitle":"Symantec ProxySG must use a centralized log server.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Determine whether audit log off-loading is configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Access Logging >> Logs.\n3. Click \"Upload Client\" and Verify that a \"Client type\" is specified. All client types use TCP for communication to the target server (FTP/S, HTTP/S, Kafka, etc.).\n\nIf Symantec ProxySG does not use a centralized log server, this is a finding.","fixText":"Configure audit log off-loading.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Access Logging >> Logs.\n3. Configure the \"Upload Client\" and \"Upload Schedule\" capabilities. (All client types use TCP for communication to the site's event server.)"},{"id":"fb101acd-8e06-4d13-845d-255514ff571c","vulnId":"V-94259","severity":"medium","ruleTitle":"Symantec ProxySG must be configured to send the access logs to the centralized log server continuously.","description":"Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in case the system/component being audited is compromised.\n\nOff-loading is a common process in information systems with limited audit storage capacity. The audit storage on the ALG is used only in a transitory fashion until the system can communicate with the centralized log server designated for storing the audit records, at which point the information is transferred. However, DoD requires that the log be transferred in real time, which indicates that the time from event detection to off-loading is seconds or less.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that continuous audit log off-loading is configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Access Logging >> Logs.\n3. Click \"Upload Client\" and Verify that a \"Client type\" is specified. \n4. Click the \"Upload Schedule\" and Verify that \"Upload the access log continuously\" is selected.\n\nIf Symantec ProxySG is not configured to send the access logs to the centralized log server continuously, this is a finding.","fixText":"Configure continuous audit log off-loading.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Access Logging >> Logs.\n3. Click \"Upload Schedule\" and select \"Upload the access log continuously\" option.\n4. Click \"Apply\"."},{"id":"07c21b9a-50de-421b-befc-191ea489c526","vulnId":"V-94261","severity":"medium","ruleTitle":"Symantec ProxySG must provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server.","description":"Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.\n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).\n\nThis does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify that the ProxySG is configured to send real-time alerts via SMTP and SNMP.\n\n1. Log on to the Web Management Console.\n2. Browse to Maintenance >> SNMP.\n3. Verify that SNMP is enabled and configured.\n4. Browse to \"Event Logging\".\n5. Click \"Mail\" and verify that \"Send Event Logs\" is enabled and recipients are specified in the \"Names\" list and an SMTP server is specified.\n\nIf Symantec ProxySG does not provide an alert to, at a minimum, the SCA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server, this is a finding.","fixText":"Configure the ProxySG to send real-time alerts via SMTP and SNMP.\n\n1. Log on to the Web Management Console.\n2. Browse to Maintenance >> SNMP.\n3. Check the \"Enable SNMPv3\" box. \n4. Click the SNMPv3 Users and SNMPv3 Traps tabs and configure per organizational specifications.\n5. Browse to \"Event Logging\".\n6. Click \"Mail\" and check the \"Send Event Logs\" box. \n7. Click \"New\" and add all desired recipients to the \"Names\" list.\n8. Enter the correct SMTP server and port into the proper fields. \n9. Click \"Apply\".\n\nFor more information, see the ProxySG Administration Guide, Chapter 75: Monitoring the Appliance."},{"id":"4051615d-5f89-4703-a62c-a7665e20ce23","vulnId":"V-94263","severity":"medium","ruleTitle":"The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols.\n\nBecause protocol anomaly analysis examines the application payload for patterns or anomalies, an FTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound FTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.","checkContent":"Verify that FTP reverse proxy intermediary services are configured.\n\n1. Verify with the ProxySG administrator that FTP reverse proxy services are configured. \n2. Log on to the Web Management Console. \n3. Click Configuration >> Services >> Proxy Services. \n4. For each FTP reverse proxy service identified by the administrator, verify that the Action is set to \"intercept\".\n5. Browse to Configuration >> Forwarding Hosts. Verify that the back-end FTP server is specified in the list.\n6. Browse to Policy >> Visual Policy Manager\" and click \"Launch\".\n7. Verify that a Forwarding Layer exists that references the Forwarding Host configured in step 5.\n\nIf the reverse proxy Symantec ProxySG providing intermediary services for FTP does not inspect inbound FTP communications traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"Configure FTP reverse proxy intermediary services.\n\nSee the ProxySG Reverse Proxy WebGuide for details.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Services >> Proxy Services. \n3. Click \"New Service\" and create new FTP proxy services with the Action set to \"intercept\".\n4. Browse to Configuration >> Forwarding Hosts. Click \"New\" and create an entry for the desired back-end FTP server. Click \"Apply\".\n5. Browse to Policy >> Visual Policy Manager and click \"Launch\".\n6. Click Policy >> Add Forwarding Layer. In the default rule, set the Action to be the Forwarding Host configured in step 4.\n7. Click File >> Install Policy on SG Appliance."},{"id":"5e5735dc-3ae7-4a6b-969e-f11001869473","vulnId":"V-94265","severity":"medium","ruleTitle":"Symantec ProxySG providing intermediary services for FTP must inspect outbound FTP communications traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as FTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an FTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound FTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.","checkContent":"Determine whether FTP proxying is enabled to provide inspection.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Click the \"Standard\", \"Predefined Service Group\" and verify that the FTP service is set to \"Intercept\".\n\nIf Symantec ProxySG providing intermediary services for FTP does not inspect outbound FTP communications traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"Enable outbound FTP proxying to inspect this traffic for compliance and anomalies.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Click the \"Standard\", \"Predefined Service Group\" and set FTP service to \"Intercept\". \n4. Click \"Apply\"."},{"id":"ef21f57e-1568-464b-a297-33aa37aef50d","vulnId":"V-94267","severity":"medium","ruleTitle":"Symantec ProxySG providing intermediary services for HTTP must inspect inbound HTTP traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound HTTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks. \n\nAll inbound and outbound traffic, including HTTPS, must be inspected. However, the intention of this policy is not to mandate HTTPS inspection by the ALG. Typically, HTTPS traffic is inspected either at the source or destination and/or is directed for inspection by an organization-defined network termination point.","checkContent":"Check 1 (This is an uncommon configuration. If it is found, it has been deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)\n1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy.\n2. Using \"-F\", perform a search for the exact terms \"detect_protocol(no)\". \n\nIf this phrase appears in the policy file, this is a finding. \n\nDiscuss with the ProxySG administrator to determine why this was configured and whether an exception must be approved.\n\nCheck 2\n1. Browse to Configuration >> Services >> Proxy Services, select each HTTP proxy service to be reviewed, and click \"Edit Service\". \n2. Verify that the \"Detect Protocol\" checkbox is selected.\n\nIf Symantec ProxySG providing intermediary services for HTTP does not inspect inbound HTTP traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"Configure the ProxySG to perform inbound and outbound HTTP traffic protocol compliance inspection/enforcement.\n\nFix 1 (This is an uncommon configuration. If it is found, it has been deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)\n1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy. \n2. Using \"-F\", perform a search for the exact terms \"detect_protocol(no)\". \n3. If this phrase appears in the policy, work with the ProxySG administrator to determine why this was configured, whether it can be disabled and if so, how to disable it. \n\nFix 2\n1. Browse to Configuration >> Services >> Proxy Services, select each HTTP proxy service to be reviewed, and click \"Edit Service\". \n2. Select the \"Detect Protocol\" checkbox and click \"OK\".\n3. Once all services have been modified, click \"Apply\"."},{"id":"11972094-5153-4594-90b2-bcb76ebd596e","vulnId":"V-94269","severity":"medium","ruleTitle":"Symantec ProxySG providing intermediary services for HTTP must inspect outbound HTTP traffic for protocol compliance and protocol anomalies.","description":"Application protocol anomaly detection examines application layer protocols such as HTTP to identify attacks based on observed deviations in the normal RFC behavior of a protocol or service. This type of monitoring allows for the detection of known and unknown exploits that exploit weaknesses of commonly used protocols.\n\nSince protocol anomaly analysis examines the application payload for patterns or anomalies, an HTTP proxy must be included in the ALG. This ALG will be configured to inspect inbound and outbound HTTP communications traffic to detect protocol anomalies such as malformed message and command insertion attacks.","checkContent":"Check 1 (This is an uncommon configuration. If it is found, it has been deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)\n1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy. \n2. Using \"-F\", perform a search for the exact terms \"detect_protocol(no)\". \n\nIf this phrase appears in the policy file, this is a finding.\n\nDiscuss with the ProxySG administrator to determine why this was configured and whether an exception must be approved.\n\nCheck 2\n1. Browse to Configuration >> Services >> Proxy Services, select each HTTP proxy service to be reviewed, and click \"Edit Service\". \n2. Verify that the \"Detect Protocol\" checkbox is selected.\n\nIf Symantec ProxySG providing intermediary services for HTTP does not inspect inbound HTTP traffic for protocol compliance and protocol anomalies, this is a finding.","fixText":"Configure the ProxySG to perform inbound and outbound HTTP traffic protocol compliance inspection/enforcement.\n\nFix 1 (This is an uncommon configuration. If it is found, it has been very deliberately done by the Proxy administrator and cannot/should not be removed without consultation with/advice from the administrator.)\n1. Browse to Configuration >> Policy >> Policy Files and click the button to view the installed policy. \n2. Using \"-F\", perform a search for the exact terms \"detect_protocol(no)\". \n3. If this phrase appears in the policy, work with the ProxySG administrator to determine why this was configured, whether it can be disabled and if so, how to disable it.\n\nFix 2\n1. Browse to Configuration >> Services >> Proxy Services and select each HTTP proxy service to be reviewed and click \"Edit Service\". \n2. Select the \"Detect Protocol\" checkbox and click \"OK\".\n3. Once all services have been modified, click \"Apply\"."},{"id":"cc42019b-3401-433b-95b1-44f443cbfdd3","vulnId":"V-94271","severity":"medium","ruleTitle":"Symantec ProxySG must not have unnecessary services and functions enabled.","description":"$2b","checkContent":"Determine what proxy services are enabled on the ProxySG.\n\n1. Log on to the Web Management Console\n2. Browse to Configuration >> Services >> Proxy Services\n3. Review each service specified in the list with the ProxySG administrator to verify that each is required.\n\nIf the Symantec ProxySG has any unnecessary services or functions enabled, this is a finding.","fixText":"Disable/remove unnecessary proxy services on the ProxySG. In particular, reverse proxy services should not configured if not used.\n\n1. Log on to the Web Management Console\n2. Browse to Configuration >> Services >> Proxy Services\n3. Review each service and service group specified in the list with the ProxySG administrator.\n4. Remove any unnecessary services or service groups by selecting them and clicking \"Delete\"\n5. Click \"Apply\" once all unnecessary services or groups have been removed."},{"id":"7944e8a4-3a7c-46c5-86b1-9f4d21639d02","vulnId":"V-94273","severity":"medium","ruleTitle":"Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services.","description":"Unrelated or unneeded proxy services increase the attack vector and add excessive complexity to the securing of the ALG. Multiple application proxies can be installed on many ALGs. However, proxy types must be limited to related functions. At a minimum, the web and email gateway represent different security domains/trust levels. Organizations should also consider separation of gateways that service the DMZ and the trusted network.\n\nPossible services that may be configured on the ProxySG:\nAOL IM\nDNS Proxy\nFTP\nFTPS\nHTTPS\nHTTPS Reverse Proxy\nMMS\nMSN IM\nRMTP\nRTSP\nSOCKS\nTLS\nTCP Tunnel\nTELNET\nYahoo IM","checkContent":"Determine what proxy services are enabled on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to verify that each is required.\n\nIf Symantec ProxySG is not configured to remove or disable unrelated or unneeded application proxy services, this is a finding.","fixText":"Disable/remove unnecessary proxy services on the ProxySG. In particular, reverse proxy services should not configured if not used.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service and service group specified in the list with the ProxySG administrator.\n4. Remove any unnecessary services or service groups by selecting them and clicking \"delete\".\n5. Click \"Apply\" once all unnecessary services or groups have been removed."},{"id":"9d54e571-6b72-414d-8cd7-5fbbb9655261","vulnId":"V-94275","severity":"high","ruleTitle":"Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments.","description":"$2c","checkContent":"Obtain the SSP and PPSMCAL and vulnerability assessments with the site's security policy. Verify that identity-based, role-based, and/or attribute-based authorization is configured for access to proxied websites. Verify that security policies and rules are configured and applied.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each rule within each Web Access Layer, verify that the \"Source\" and \"destination\" column for each rule contains something other than \"any\" (any is the default value) as required in the site's SSP and the PPSMCAL.\n\nIf Symantec ProxySG is not configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments, this is a finding.","fixText":"Obtain the SSP and PPSMCAL and vulnerability assessments with the site's security policy. Configure the ProxySG to perform resources by employing identity-based, role-based, and/or attribute-based authorization for access to proxied websites.\n\n1. Log on to the Web Management Console. \n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". \n4. For each Web Access Layer that is configured, right-click the \"Source\" and \"destination\" of each column and click \"Set\".\n5. Select the users, groups, roles, ports, protocols, and attributes as required by the PPSMCAL.\n6. Click File >> Install Policy on SG Appliance."},{"id":"7f227b77-9812-4bfb-97a4-015940f02c52","vulnId":"V-94277","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: \n\n1. When authenticators change\n2. When roles change\n3. When security categories of information systems change\n4. When the execution of privileged functions occurs\n5. After a fixed period of time\n6. Periodically\n\nWithin the DoD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of user authentication (e.g., VPN or ALG capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).","checkContent":"Reauthentication of users may be enforced by using credential cache lifetimes and inactivity timeouts. Verify credential cache lifetimes and inactivity timeouts for LDAP, RADIUS, XML, IWA (with Basic credentials), SiteMinder, and COREid authentication methods.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click each of the above authentication mechanisms and select the \"General\" tab (e.g., Radius General or LDAP General).\n4. Verify that the \"Credential Refresh\" time is set to the organization-defined time period.\n\nIf Symantec ProxySG providing user authentication intermediary services does not require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication, this is a finding.","fixText":"Reauthentication of users may be enforced by using credential cache lifetimes and inactivity timeouts. Set credential cache lifetimes and inactivity timeouts for LDAP, RADIUS, XML, IWA (with Basic credentials), SiteMinder, and COREid authentication methods.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click each of the above authentication mechanisms and select the \"General\" tab (e.g., Radius General or LDAP General).\n4. Set the \"Credential Refresh\" time to the organization-defined time period.\n5. Click \"Apply\"."},{"id":"84a06990-fce6-40e9-9a5a-2723ee21d80c","vulnId":"V-94279","severity":"high","ruleTitle":"Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.\n\nBy default, the ProxySG operates as an un-authenticated proxy. Authentication of users must be explicitly configured as described here and in in the ProxySG Administration Guide, Chapter 49: Controlling Access to the Internet and Intranet.","checkContent":"Verify that ProxySG is uniquely identifying organizational users.\n\n1. Log on to the Web Management Console. \n2. Browse to Configuration >> Authentication >> Windows Domain.\n3. Verify that a domain is listed in the Domains field and indicates \"Joined and Used\".\n\nIf Symantec ProxySG does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.","fixText":"Configure the ProxySG to perform unique identification of organizational users.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication >> Windows Domain.\n3. Click \"Add New Domain\" and follow prompts to join the Windows Domain."},{"id":"d7364038-a340-478c-b81c-17434c8c0996","vulnId":"V-94281","severity":"high","ruleTitle":"Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges.","description":"User account and privilege validation must be centralized to prevent unauthorized access using changed or revoked privileges.\n\nALGs can implement functions such as traffic filtering, authentication, access, and authorization functions based on computer and user privileges. However, the directory service (e.g., Active Directory or LDAP) must not be installed on the ALG, particularly if the gateway resides on the untrusted zone of the enclave.","checkContent":"Verify that the ProxySG is configured with pre-established trust relationships with the appropriate authorities.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n\nIf Symantec ProxySG is not configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges, this is a finding.","fixText":"Configure the ProxySG with pre-established trust relationships with the appropriate authorities.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication >> Windows Domain.\n3. Click \"Add New Domain\" and follow prompts to join the Windows Domain."},{"id":"d9ccae20-c5ef-412b-bac2-e42c50840b79","vulnId":"V-94283","severity":"high","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers.","description":"User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users only. Users are prompted by the application or browser for credentials. Authentication service may be provided by the ProxySG as an intermediary for the application; however, the authentication credential must be stored in the site's directory services server.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).\n\nThe ProxySG will not use any other authentication server that has not been explicitly configured, such as the primary and backup authentication servers.","checkContent":"The ProxySG only sends user authentication traffic to explicitly configured authentication servers. Verify which authentication servers are configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n\nIf Symantec ProxySG providing user authentication intermediary services does not restrict user authentication traffic to specific authentication servers, this is a finding.","fixText":"Configure the ProxySG for user authentication.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication >> Windows Domain.\n3. Click \"Add New Domain\" and follow prompts to join the Windows Domain."},{"id":"b795ccab-0b42-4bb8-87ca-4fd2fd1f56bc","vulnId":"V-94285","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"$2d","checkContent":"Multiple methods of multifactor authentication are supported. Verify that an approved method is configured (such as CAC certificate authentication).\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click each of the above authentication mechanisms and Verify that at least one approved multifactor authentication method is configured per the ProxySG Administration Guide (CAC Certificate authentication configuration is covered in Chapter 52: Certificate Realm Authentication and Chapter 58: LDAP Realm Authentication).\n\nIf Symantec ProxySG providing user authentication intermediary services does not implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.","fixText":"Configure an approved method of multifactor authentication (such as CAC certificate authentication).\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Configure at least one multifactor method (such as CAC certificate authentication) per the ProxySG Administration Guide (CAC Certificate authentication configuration is covered in Chapter 52: Certificate Realm Authentication and Chapter 58: LDAP Realm Authentication)."},{"id":"26b18534-3b20-4539-92b6-01819777c0ac","vulnId":"V-94287","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"$2e","checkContent":"Multiple methods of multifactor authentication are supported. Verify that an approved method is configured (such as CAC certificate authentication).\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click each of the above authentication mechanisms and Verify that at least one approved multifactor authentication method is configured.\n\nIf Symantec ProxySG providing user authentication intermediary services does not implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.","fixText":"Configure an approved method of multifactor authentication (such as CAC certificate authentication).\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Configure at least one multifactor method (such as CAC certificate authentication) per the ProxySG Administration Guide (CAC Certificate authentication configuration is covered in Chapter 52: Certificate Realm Authentication and Chapter 58: LDAP Realm Authentication)."},{"id":"3ead5c3e-72ac-4abc-802f-cc5d0b89b0cb","vulnId":"V-94289","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts.","description":"To assure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.\n\nMultifactor authentication uses two or more factors to achieve authentication. Factors include: \n\n1. Something you know (e.g., password/PIN) \n2. Something you have (e.g., cryptographic, identification device, token)\n3. Something you are (e.g., biometric)\n\nNonprivileged accounts are not authorized access to the network element regardless of access method.\n\nNetwork access is any access to an application by a user (or process acting on behalf of a user) where the access is obtained through a network connection.\n\nAuthenticating with a PKI credential and entering the associated PIN is an example of multifactor authentication.","checkContent":"Verify that a DoD-approved authentication server that uses multifactor authentication is configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n\nIf Symantec ProxySG providing user authentication intermediary services does not use multifactor authentication for network access to nonprivileged accounts, this is a finding.","fixText":"Configure a DoD-approved authentication server that uses multifactor authentication.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication >> Windows Domain.\n3. Click \"Add New Domain\" and follow prompts to join the Windows Domain."},{"id":"0001b220-11b3-4e7b-b3fd-ca3e71dcdc6d","vulnId":"V-94291","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.","description":"$2f","checkContent":"Verify that only FIPS-compliant HMAC algorithms are in use.\n\n1. Log on to the ProxySG CLI via SSH.\n2. Type \"show management services\".\n3. Verify the \"Cipher Suite\" attribute lists only cipher suites that use FIPS compliant HMAC algorithms.\n\nIf any cipher suites are listed that use non-FIPS-compliant HMAC algorithms, this is a finding.","fixText":"Configure the ProxySG to use only FIPS-compliant HMAC algorithms.\n\n1. Log on to the ProxySG SSH CLI.\n2. Type \"enable\" and enter the enable password.\n3. Type \"configure terminal\" and press \"Enter\".\n4. Type \"management-services,\" press \"Enter\". Type \"edit HTTPS-Console\" and press \"Enter\".\n5. Type \"view\" to display the list of configured cipher suites.\n6. Type \"attribute cipher-suite\" followed by a space-delimited list of only cipher suites from step 5 that use FIPS-compliant HMAC algorithms.\n7. Press \"Enter\"."},{"id":"e5e89f56-15f3-463f-bd6d-7b1501ea9c1f","vulnId":"V-94293","severity":"medium","ruleTitle":"Symantec ProxySG must prohibit the use of cached authenticators after 300 seconds at a minimum.","description":"If the cached authenticator information is out of date, the validity of the authentication information may be questionable.\n\nThis requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"Verify credential cache lifetimes for LDAP, RADIUS, XML, IWA (with Basic credentials), SiteMinder, and COREid authentication methods.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration, >> Authentication.\n3. Click each of the above authentication mechanisms and select the \"General\" tab (e.g., Radius General or LDAP General).\n4. Verify that the \"Credential Refresh\" time is set to the organization-defined time period (a minimum of 300 seconds).\n\nIf Symantec ProxySG does not prohibit the use of cached authenticators after 300 seconds at a minimum, this is a finding.","fixText":"Set credential cache lifetimes for LDAP, RADIUS, XML, IWA (with Basic credentials), SiteMinder, and COREid authentication methods.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click each of the above authentication mechanisms and select the \"General\" tab (e.g., Radius General or LDAP General).\n4. Set the \"Credential Refresh\" time to 300 at a minimum.\n5. Click \"Apply\"."},{"id":"dc19a557-9d33-49cd-8089-c19005f9a87e","vulnId":"V-94295","severity":"medium","ruleTitle":"Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.","description":"Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.\n\nThis requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). It does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"Verify that PKI user credentials map identities to the user account name in a reverse proxy configuration.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Click each HTTPS Reverse Proxy service and click \"Edit Service\".\n4. Verify that \"Verify Client\" is checked. Verify that all remaining options are in accordance with the site's SSP.\n\nIf Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, does not map the client certificate to the authentication server store, this is a finding.","fixText":"Configure the ProxySG to map PKI user credentials to user identities in a reverse proxy configuration.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Click each HTTPS Reverse Proxy service and click \"Edit Service\".\n4. Check the \"Verify Client\" option and click \"Apply\".\n5. Configure all remaining options in accordance with the site's SSP."},{"id":"b52f3834-0c32-48a5-8434-baee4ccc33da","vulnId":"V-94297","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.","description":"Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).\n\nThe intent of this requirement is to require support for a secondary certificate validation method using a locally cached revocation data, such as Certificate Revocation List (CRL), in case access to OCSP (required by CCI-000185) is not available. Based on a risk assessment, an alternate mitigation is to configure the system to deny access when revocation data is unavailable. \n\nThis requirement applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"Verify that PKI Certificate Revocation Lists have been configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> SSL >> CRLs.\n3. Verify that at least one CRL has been defined.\n\nIf Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication does not implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, this is a finding.","fixText":"Configure PKI Certificate Revocation lists.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> SSL >> CRLs.\n3. Click \"New\" and configure in accordance the setting required by site guidance."},{"id":"f1bfb913-b613-48e7-8c14-83fc8daf2225","vulnId":"V-94299","severity":"medium","ruleTitle":"Symantec ProxySG providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.","description":"Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0.\n\nUse of FICAM-issued profiles addresses open identity management standards.\n\nThis only applies to components where this is specific to the function of the device or has the concept of a nonorganizational user (e.g., ALG capability that is the front end for an application in a DMZ).","checkContent":"Configure ProxySG to conform to a FICAM-authentication protocol and verify that SAML authentication has been configured.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click \"SAML\" and verify that each tab has been configured properly per the organizational requirement.\n\nIf Symantec ProxySG providing user authentication intermediary services does not conform to FICAM-issued profiles, this is a finding.","fixText":"Configure ProxySG to conform to a FICAM-authentication protocol and configure it to use SAML authentication.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. Click \"SAML\" and configure."},{"id":"3c9e83de-55d2-4602-86e9-f1a6f4ba2ba1","vulnId":"V-94301","severity":"high","ruleTitle":"Symantec ProxySG must terminate all network connections associated with a communications session at the end of the session or terminate user sessions (nonprivileged session) after 15 minutes of inactivity.","description":"$30","checkContent":"Check the two user-configurable parameters that affect session termination (TCP segment lifetime and authentication credential inactivity timeout).\n\nCheck the TCP segment lifetime setting (default is 120 seconds).\n1. SSH into the ProxySG console and type \"show tcp-ip\".\n2. Verify that the TCP 2MSL timeout is set to 600 seconds or less.\n\nCheck the authentication credential inactivity timeouts.\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. For each authentication method listed, click it and then the \"General\" tab and verify that the \"Inactivity timeout\" is set to 600 seconds or less (default is 900 seconds).\n\nIf Symantec ProxySG does not terminate all network connections associated with a communications session at the end of the session, or terminate user sessions (nonprivileged session) after 15 minutes of inactivity, this is a finding.","fixText":"Configure the two user-configurable parameters that affect session termination (TCP segment lifetime and authentication credential inactivity timeout).\n\nConfigure the TCP segment lifetime setting (default is 120 seconds).\n1. SSH into the ProxySG console and type \"enable\" and then \"configure\".\n2. Type \"tcp-ip tcp 2msl 900\", for example, to set the timeout to 900 seconds (the default).\n\nConfigure the authentication credential inactivity timeouts.\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Authentication.\n3. For each authentication method listed, click it and then the \"General\" tab and set the \"Inactivity timeout\" to 600 seconds or less (default is 900 seconds).\n4. Click \"Apply\"."},{"id":"31504cb1-4bcb-475e-8386-6b7a4927cf7c","vulnId":"V-94303","severity":"medium","ruleTitle":"Symantec ProxySG providing forward proxy encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the Federal government since this provides assurance they have been tested and validated.\n\nThis requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).","checkContent":"Verify that TLS intermediary services are configured to comply with NIST FIPS-validated cryptography.\n\n1. Log on to the Web Management Console.\n2. Click Configuration >> Visual Policy Manager. \n3. Click \"Launch\". While in the Visual Policy Manager, for each SSL Access Layer that is configured, verify there is a rule with an action set to \"Deny\" that also has \"Source\" and \"Destination\" fields that contain a negated list of NIST FIPS-validated SSL/TLS protocols and ciphers.\n\nIf Symantec ProxySG providing forward proxy encryption intermediary services does not use NIST FIPS-validated cryptography to implement encryption services, this is a finding.","fixText":"$31"},{"id":"3930f4ee-cfd7-4a62-b8d1-6cb3c98df8fa","vulnId":"V-94305","severity":"medium","ruleTitle":"Symantec ProxySG providing reverse proxy encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the Federal government since this provides assurance they have been tested and validated.\n\nThis requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC).","checkContent":"Verify that TLS reverse proxy intermediary services are configured to comply with NIST FIPS-validated cryptography.\n\n1. Verify with the ProxySG administrator that reverse proxy services are configured. \n2. Log on to the Web Management Console. \n3. Click Configuration >> Services >> Proxy Services. \n4. For each reverse proxy service identified by the administrator, click \"Edit Service\" and Verify that only NIST FIPS-validated SSL protocols are enabled.\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > Services >> Proxy Services. \n4. For each reverse proxy service configured, click \"Edit Service\" and select only NIST FIPS-validated SSL protocols. Click \"Apply\".\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > Services >> Proxy Services. \n4. For each reverse proxy service configured, click \"Edit Service\" and select only NIST FIPS-validated SSL protocols. Click \"Apply\".\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > Services >> Proxy Services. \n4. For each reverse proxy service configured, click \"Edit Service\" and select only NIST FIPS-validated SSL protocols. Click \"Apply\".\n5. Log on to the ProxySG SSH CLI.\n6. Type \"enable\" and enter the enable password.\n7. Type \"configure\" and press \"Enter\".\n8. Type \"proxy-services\" and press \"Enter\".\n9. For each reverse proxy service identified by the administrator, type \"edit > Services >> Proxy Services.\n3. Select each HTTPS Reverse Proxy service and click \"Edit Service\".\n4. Note the name of the CCL listed.\n5. Browse to SSL >> CA Certificates >> CA Certificate Lists.\n6. Select the CCL from step 4 and click \"View\".\n7. Verify that only DoD-approved CA Certifications are listed in the box on the right.\n\nIf any CA certifications that are not DoD approved are found in a CCL assigned to a reverse proxy service, this is a finding.","fixText":"Configure reverse proxy services to only trust DoD-approved Certificate Authorities.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Browse to SSL >> CA Certificates >> CA Certificate Lists.\n4. Click \"Import,\" provide a \"Name,\" and paste in the first DoD CA certificate in PEM format and click \"OK\". Repeat for each DoD CA certificate desired.\n5. Click CA Certificate Lists >> New.\n6. Provide a \"Name,\" click each DoD CA certificate created in step 4, and click \"Add\". Once all certificates have been added, click \"OK\".\n7. Browse to Configuration >> Services >> Proxy Services.\n8. Select each HTTPS Reverse Proxy service and click \"Edit Service\".\n9. Select the CCL created in step 6, click \"OK,\" and then click \"Apply\"."},{"id":"95e9c02a-1f65-47e1-9d3a-4c62dcb5da2f","vulnId":"V-94315","severity":"medium","ruleTitle":"Symantec ProxySG must fail to a secure state upon failure of initialization, shutdown, or abort actions.","description":"$35","checkContent":"Verify that the transparent, physically in-line hardware ProxySG appliance is configured to fail securely in the event of failures of initialization, shutdown, or abort actions.\n\n1. Browse to Configuration >> Network >> Adapters >> Bridges. \n2. Select the appropriate bridge-pair (whichever is in use) and click \"Edit\". \n3. Verify that the \"fail-closed\" radio button is selected. \n\nIf the \"failed-closed\" radio button is not selected, this is a finding.","fixText":"Configure the transparent, physically in-line hardware ProxySG appliance to fail securely in the event of failures of initialization, shutdown, or abort actions.\n\n1. Browse to Configuration >> Network >> Adapters >> Bridges.\n2. Select the appropriate bridge-pair (whichever is in use) and click \"Edit\". \n3. Select the \"fail-closed\" radio button and click \"Apply\"."},{"id":"5e602d90-e70c-4163-8a9e-877cf947c31f","vulnId":"V-94317","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must protect against known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.\n\nInstallation of content filtering gateways and application layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.\n\nDetection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks, which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.","checkContent":"View the denial-of-service attack detection/mitigation configuration.\n \n1. SSH into the ProxySG console and type \"enable\".\n2. Enter the correct password and type \"config\". \n3. Press \"Enter\" and type \"show attack-detection configuration\". \n4. Verify that \"client limits enabled\" equals \"true\".\n\nIf Symantec ProxySG providing content filtering does not protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis, this is a finding.","fixText":"Configure denial-of-service attack detection/mitigation.\n \n1. SSH into the ProxySG console and type \"enable\".\n2. Enter the correct password and type \"config\". \n3. Press \"Enter\" and type \"attack-detection\".\n4. Type \"client\", press \"Enter\", type \"enable-limits\", and press \"Enter\"."},{"id":"b6e1c58e-2d28-4030-a8fb-69bdd3b5353a","vulnId":"V-94319","severity":"medium","ruleTitle":"Symantec ProxySG must implement load balancing to limit the effects of known and unknown types of denial-of-service (DoS) attacks.","description":"If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redundancy, which reduces the susceptibility of the ALG to many DoS attacks.\n\nThe ALG must be configured to prevent or mitigate the impact on network availability and traffic flow of DoS attacks that have occurred or are ongoing.\n\nThis requirement applies to the network traffic functionality of the device as it pertains to handling network traffic. Some types of attacks may be specialized to certain network technologies, functions, or services. For each technology, known and potential DoS attacks must be identified and solutions for each type implemented.\n\nFor detailed information, see the ProxySG Administration Guide, Chapter 39: Configuring Failover.","checkContent":"Verify that redundancy has been configured on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Network >> Advanced.\n3. Select the \"Failover\" tab and Verify that entries are present and that they are \"enabled\".\n\nIf Symantec ProxySG does not implement load balancing to limit the effects of known and unknown types of DoS attacks, this is a finding.","fixText":"Configure redundancy on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Network >> Advanced.\n3. Select the \"Failover\" tab and configure using the SSP requirements."},{"id":"095b15de-2b59-4139-833c-8a9cf22e6f42","vulnId":"V-94321","severity":"medium","ruleTitle":"Symantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.","description":"$36","checkContent":"Verify that Attack Detection is enabled.\n\n1. SSH into the ProxySG console and type \"enable\".\n2. Enter the correct password and type \"configure terminal\".\n3. Press \"Enter\" and type \"show attack-detection configuration\". \n4. Verify that \"client limits enabled\" equals \"true\".\n\nIf Symantec ProxySG does not block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints, this is a finding.","fixText":"Enable the Attack Detection function. \n\n1. SSH into the ProxySG console and type \"enable\".\n2. Enter the correct password and type \"configure terminal\". \n3. Press \"Enter\" and type \"attack-detection\".\n4. Type \"client\" and press \"Enter\". Type \"enable-limits\" and press \"Enter\".\n\nNote: See the ProxySG Administration Guide, Chapter 73: Preventing Denial of Service Attacks, to understand the functionality before proceeding. Fine-tune the default client limits if there is an operational impact."},{"id":"08e48588-8a96-4be5-acc3-a174ba70e8e9","vulnId":"V-94323","severity":"medium","ruleTitle":"Symantec ProxySG must allow incoming communications only from organization-defined authorized sources routed to organization-defined authorized destinations.","description":"Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nAccess control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application-level firewalls and web content filters) ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.","checkContent":"Determine what proxy services are enabled on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to verify that all remote access traffic has been accounted for.\n4. Click Configuration >> Policy >> Visual Policy Manager >> Launch.\n5. Click each layer and Verify that the \"Source\" and \"Destination\" fields for each rule are set to the organizationally defined sources and destinations.\n\nIf Symantec ProxySG allows incoming communications other than those from organization-defined authorized sources routed to organization-defined authorized destinations, this is a finding.","fixText":"Configure proxy services.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to ensure that all remote access traffic has been accounted for and add any that are missing per the ProxySG Administration Guide, Chapter 7: Managing Proxy Services.\n4. Click Configuration >> Policy >> Visual Policy Manager >> Launch.\n5. Click each layer and right-click the \"Source\" and \"Destination\" fields for each rule. Select \"Set\" and set each to the organizationally defined values in accordance with the site's SSP."},{"id":"485b88ad-1a66-40d5-957e-5c2e7c158cfb","vulnId":"V-94325","severity":"medium","ruleTitle":"Symantec ProxySG must fail securely in the event of an operational failure.","description":"$37","checkContent":"Verify that the transparent, physically in-line hardware ProxySG appliance is configured to fail securely in the event of an operational failure.\n\n1. Browse to Configuration >> Network >> Adapters >> Bridges. \n2. Select the appropriate bridge-pair (whichever is in use) and click \"Edit\". \n3. Verify that the \"fail-closed\" radio button is selected.\n\nIf the \"fail-closed\" radio button is not selected, this is a finding.","fixText":"Configure the transparent, physically in-line hardware ProxySG appliance to fail securely in the event of an operational failure.\n\n1. Browse to Configuration >> Network >> Adapters >> Bridges.\n2. Select the appropriate bridge-pair (whichever is in use) and click \"Edit\". \n3. Select the \"fail-closed\" radio button and click \"Apply\"."},{"id":"1bc2c46a-bcff-4d94-9405-cd57b8279f5c","vulnId":"V-94327","severity":"medium","ruleTitle":"Symantec ProxySG must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).","description":"A deny-all, permit-by-exception network communications traffic policy ensures that only connections that are essential and approved are allowed.\n\nAs a managed interface, the ALG must block all inbound and outbound network communications traffic to the application being managed and controlled unless a policy filter is installed to explicitly allow the traffic. The allow policy filters must comply with the site's security policy. \n\nThis requirement applies to both inbound and outbound network communications traffic. All inbound and outbound traffic for which the ALG is acting as an intermediary or proxy must be denied by default.","checkContent":"Verify that the ProxySG is configured to deny all traffic by default.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Policy >> Policy Options.\n3. Verify that the \"Default Proxy Policy\" setting is set to \"Deny\".\n\nIf Symantec ProxySG does not deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception), this is a finding.","fixText":"Configure the ProxySG to deny all traffic by default.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Policy >> Policy Options.\n3. Set the \"Default Proxy Policy\" to \"Deny\" and click \"Apply\"."},{"id":"c90b5a8a-2167-4fde-96da-e91fbd5c567f","vulnId":"V-94329","severity":"medium","ruleTitle":"Symantec ProxySG must identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems.","description":"Without identifying the users who initiated the traffic, it would be difficult to identify those responsible for the denied communications.\n\nThis requirement applies to network elements that perform Data Leakage Prevention (DLP) (e.g., ALGs, proxies, or application level firewalls).","checkContent":"Verify that the ProxySG is configured to log user web traffic for auditing.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule that has \"Action\" set to \"Deny\" and \"Destination\" defined as a restricted set of potentially threatening destinations has a value other than \"none\" in the \"Track\".\n\nIf Symantec ProxySG does not identify and log internal users associated with denied outgoing communications traffic posing a threat to external information systems, this is a finding.","fixText":"Configure the ProxySG to log user web traffic for auditing.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, right-click the \"Track\" column for each rule that has \"Action\" set to \"Deny\" and \"Destination\" defined as a restricted set of potentially threatening destinations and select \"Set\". \n5. Click \"New\" and select \"Event Log\"."},{"id":"652b76fb-f2a0-498f-bad4-f4042551d541","vulnId":"V-94331","severity":"medium","ruleTitle":"Symantec ProxySG must tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Providing too much information in error messages risks compromising the data and security of the application and system.\n\nOrganizations must carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access control lists.\n\nThe ProxySG is designed to not reveal useful information to adversaries in error messages, although it may be configured to display custom exception pages to comply with site-specific requirements.","checkContent":"On a client workstation configured to use the ProxySG as its web gateway, browse to a prohibited website and observe the error page displayed.\n\nIf Symantec ProxySG does not tailor the Exceptions messages to generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries, this is a finding.","fixText":"Configure the ProxySG to tailor the Exceptions messages to generate error messages that provide only the information necessary for corrective actions.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Policy >> Exceptions.\n3. Change \"Install Exceptions Definitions from\" to \"Text Editor\" and click \"Install\".\n4. Refer to the Custom Exception Pages for ProxySG Guide for more information on creating the text for this field. \n5. After the text is entered, click Install >> Apply."},{"id":"cb41490f-10b1-47c7-8f6a-f99973985922","vulnId":"V-94333","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must be configured to integrate with a system-wide intrusion detection system.","description":"Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.\n\nIntegration of the ALG with a system-wide intrusion detection system supports continuous monitoring and incident response programs. This requirement applies to monitoring at internal boundaries using TLS gateways, web content filters, email gateways, and other types of ALGs.\n\nALGs can work as part of the network monitoring capabilities to off-load inspection functions from the external boundary IDPS by performing more granular content inspection of protocols at the upper layers of the OSI reference model.","checkContent":"Verify that the ProxySG is configured to log to an intrusion detection system.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Verify that \"Enable Access Logging\" is checked.\n3. Click Logs >> Upload Client and verify that the Client Type parameters are set to send logs to the intrusion detection system.\n4. Click Policy >> Visual Policy Manager >> Launch.\n\nIf Symantec ProxySG providing content filtering is not be configured to integrate with a system-wide intrusion detection system, this is a finding.","fixText":"Configure the ProxySG to log to an intrusion detection system.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging. Check the \"Enable Access Logging\" option.\n3. Click Logs >> Upload Client and ensure that the Client Type parameters are set to send logs to the intrusion detection system."},{"id":"cbe8c11f-5c66-47b8-b032-218067f91c92","vulnId":"V-94335","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice over Internet Protocol, Instant Messaging, auto-execute, and file sharing.\n\nTo comply with this requirement, the ALG may be configured to detect services either directly or indirectly (i.e., by detecting traffic associated with a service). This requirement applies to gateways/firewalls that perform content inspection or have higher-layer proxy functionality.\n\nProxySG is a default-deny device and only permits authorized/approved network services to be used.","checkContent":"Determine what network proxy services are enabled on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to verify that all approved networks have been accounted for.\n\nIf Symantec ProxySG providing content filtering does not detect use of network services that have not been authorized or approved by the ISSM and ISSO, at a minimum, this is a finding.","fixText":"Enable network proxy services on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Click \"New Service\"."},{"id":"a0570746-98da-4158-881c-a0ff4841df37","vulnId":"V-94337","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must generate a log record when access attempts to unauthorized websites and/or services are detected.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nExamples of network services include service-oriented architectures (SOAs), cloud-based services (e.g., infrastructure as a service, platform as a service, or software as a service), cross-domain, Voice over Internet Protocol, Instant Messaging, auto-execute, and file sharing.","checkContent":"Verify that the ProxySG is configured to log access attempts to unauthorized websites and/or services.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value other than \"none\" in the \"Track\" column.\n\nIf Symantec ProxySG providing content filtering does not generate a log record when access attempts to unauthorized websites and/or services are detected, this is a finding.","fixText":"Configure the ProxySG to log access attempts to unauthorized websites and/or services.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, right-click the \"Track\" column for each rule and select \"Set\". \n5. Click \"New\" and select \"Event Log\"."},{"id":"d0ab11cf-0300-4965-a84e-ddc13f659960","vulnId":"V-94339","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected.","description":"Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.\n\nAutomated mechanisms can be used to send automatic alerts or notifications. Such automatic alerts or notifications can be conveyed in a variety of ways (e.g., telephonically, via electronic mail, via text message, or via websites). The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Verify that the ProxySG is configured to generate alerts for access attempts to unauthorized websites and/or services.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value of \"Email\" in the \"Track\" column. \n5. Right-click the \"Track\" field for each rule and select \"Edit\".\n6. Click \"Configure Custom Recipients Lists\".\n7. Click any recipient email list in the left side panel and verify that the ISSO's email address is listed in the \"List Members\" panel.\n\nIf Symantec ProxySG providing content filtering does not generate an alert to, at a minimum, the ISSO and ISSM when access attempts to unauthorized websites and/or services are detected, this is a finding.","fixText":"Configure the ProxySG to generate alerts for access attempts to unauthorized websites and/or services.\n\nEmail may be used to send alerts directly to the ISSO/ISSM. However, use caution and be selective when choosing on which Web Access rules to enable email notification.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, right-click the \"Track\" column for each rule and select \"Set\". Click \"New,\" and select \"Email\". \n5. Select \"Custom Recipients\" and click \"Configure Custom Recipients Lists\".\n6. Click \"New,\" provide a name for the list, and enter the ISSO and ISSM email addresses in the \"List Members\" field.\n7. Click \"OK\" and click \"OK\" again. Create message text, and click \"OK\".\n8. Click \"OK\" and click \"OK\" again. Select File >> Install Policy on SG Appliance."},{"id":"499af08a-fd47-4298-bbfe-814c2df392a3","vulnId":"V-94341","severity":"medium","ruleTitle":"Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.","description":"If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nInternal monitoring includes the observation of events occurring on the network as they cross internal boundaries at managed interfaces such as web content filters. Depending on the type of ALG, organizations can monitor information systems by monitoring audit activities, application access patterns, characteristics of access, content filtering, or unauthorized exporting of information across boundaries. Unusual/unauthorized activities or conditions may include large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.","checkContent":"Verify that the ProxySG is configured to monitor inbound communication traffic for unusual or unauthorized activities or conditions.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value other than \"none\" in the \"Track\" column.\n\nIf reverse proxy Symantec ProxySG providing content filtering does not continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions, this is a finding.","fixText":"Configure the ProxySG to monitor inbound communication traffic for unusual or unauthorized activities or conditions.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, right-click the \"Track\" column for each rule and select \"Set\".\n5. Click \"New\" and select \"Event Log\"."},{"id":"aa7fbb9d-c148-4115-8dcd-7921a4b4b987","vulnId":"V-94343","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions.","description":"If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nInternal monitoring includes the observation of events occurring on the network as they cross internal boundaries at managed interfaces such as web content filters. Depending on the type of ALG, organizations can monitor information systems by monitoring audit activities, application access patterns, characteristics of access, content filtering, or unauthorized exporting of information across boundaries. Unusual/unauthorized activities or conditions may include large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.","checkContent":"Determine what proxy services are enabled on the ProxySG.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to verify that all remote access traffic has been accounted for.\n4. Click Configuration >> Policy >> Visual Policy Manager >> Launch.\n5. Click each layer and Verify that the \"Source\" and \"Destination\" fields for each rule are set to the organizationally defined sources and destinations.\n\nIf Symantec ProxySG providing content filtering does not continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions, this is a finding.","fixText":"Configure proxy services.\n\n1. Log on to the Web Management Console.\n2. Browse to Configuration >> Services >> Proxy Services.\n3. Review each service specified in the list with the ProxySG administrator to ensure that all remote access traffic has been accounted for and add any that are missing per the ProxySG Administration Guide, Chapter 7: Managing Proxy Services. \n4. Click Configuration >> Policy >> Visual Policy Manager >> Launch.\n5. Click each layer and right-click the \"Source\" and \"Destination\" fields for each rule. Select \"Set\" and set each to the organizationally defined values in accordance with the site's SSP."},{"id":"236f8144-7d11-41cd-91c3-9d26985f0892","vulnId":"V-94345","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur.","description":"Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information.\n\nSince these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema.\n\nThese systems must generate an alert when detection events from real-time monitoring occur. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The ALG must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.","checkContent":"Verify that the ProxySG is configured to generate alerts for access attempts to unauthorized websites and/or services.\n\n1. Log on to the Web Management console.\n2. Browse to \"Configuration\" and click \"Access Logging. Verify that \"Enable Access Logging\" is checked.\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, verify that each rule has a value of \"Email\" in the \"Track\" column. \n5. Right-click the \"Track\" field for each rule and select \"Edit\".\n6. Click \"Configure Custom Recipients Lists\".\n7. Click any recipient email list in the left side panel and verify that the ISSO's email address is listed in the \"List Members\" panel.\n\nIf Symantec ProxySG providing content filtering does not send an alert to, at a minimum, the ISSO and ISSM when detection events occur, this is a finding.","fixText":"Configure the ProxySG to generate alerts for access attempts to unauthorized websites and/or services.\n\nEmail may be used to send alerts directly to the ISSO/ISSM. However, use caution and be selective when choosing which Web Access rules on which to enable email notification.\n\n1. Log on to the Web Management Console.\n2. Browse to \"Configuration\" and click \"Access Logging\". Check the \"Enable Access Logging\" option and click \"Apply\".\n3. Click Policy >> Visual Policy Manager >> Launch.\n4. For each Web Access Layer, right-click the \"Track\" column for each rule and select \"Set\". Click \"New\" and select \"Email\". \n5. Select \"Custom Recipients\" and click \"Configure Custom Recipients Lists\".\n6. Click \"New,\" provide a name for the list, and enter the ISSO and ISSM email addresses in the \"List Members\" field.\n7. Click \"OK\" and click \"OK\" again. Create message text and click \"OK\".\n8. Click \"OK\" and click \"OK\" again. Select File >> Install Policy on SG Appliance."},{"id":"1f4d4a5e-0459-4e78-9648-efd149c102e5","vulnId":"V-94347","severity":"medium","ruleTitle":"Symantec ProxySG providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial-of-service (DoS) incidents are detected.","description":"$38","checkContent":"Verify that DoS events generate alerts to at least the ISSO and ISSM.\n\n1. SSH into the ProxySG console and type \"enable\".\n2. Enter the correct password and type \"config\". \n3. Press \"Enter\" and type \"show attack-detection configuration\". \n4. Verify that \"client limits enabled\" equals \"true\".\n5. Log on to the Web Management Console.\n6. Browse to Maintenance >> Event Logging and click the \"Mail\" tab. Verify that the ISSO and ISSM email addresses are specified.\n7. Browse to Configuration >> Policy >> Visual Policy Manager. Click \"Launch\".\n8. In each Web Access Layer, find rules that contain an \"Action\" of \"Attack Detection\". \n9. Verify that the \"Track\" field of these rules is set to \"Email\" and that the \"recipients\" are set to at least the ISSO and ISSM.\n\nIf Symantec ProxySG providing content filtering does not generate an alert to, at a minimum, the ISSO and ISSM when DoS incidents are detected, this is a finding.","fixText":"$39"}]}]]}]

Symantec ProxySG ALG Security Technical Implementation Guide

Checks (66)