Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware NSX-T Distributed Firewall Security Technical Implementation Guide
SRG-NET-000019-FW-000003
SRG-NET-000019-FW-000003
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000019-FW-000003
1 Rule
<GroupDescription></GroupDescription>
The NSX-T Distributed Firewall must verify time-based firewall rules.
Medium Severity
<VulnDiscussion>With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period. Time windows apply to a firewall policy section, and all the rules in it. Each firewall policy section can have one time window. The same time window can be applied to more than one policy section. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section. Time-based rules are available for distributed and gateway firewalls on both ESXi and KVM hosts. If time windows are not verified and periodically checked, a malicious actor could create time windows to effectively disable rules while not being obvious to firewall administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>