AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

An XCCDF Rule

Description

Unrestricted traffic may contain malicious traffic, which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass being inspected by the firewall before being forwarded to the private network.

ID: SV-266992r1040904_rule
Version: ARBA-VN-000040
Severity: Medium
References: CCI-001414
Updated: about 2 months ago

Remediation Templates

Configure AOS with the following commands: 
configure terminal
ip access-list session <name>
network <A.B.C.D> <netmask A.B.C.D> any any permit
any any any deny log
ipv6 network <X:X:X:X::X/<0-128> any any permitipv6 any any any deny log
exit
write memory
interface gigabit <#/#/#>
ip access-group session <ACL name>
exit
write mem

AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.

Description

Remediation Templates

A Manual Procedure