The NSX-T Distributed Firewall must verify time-based firewall rules.
An XCCDF Rule
Description
<VulnDiscussion>With time windows, security administrators can restrict traffic from a source or to a destination, for a specific time period. Time windows apply to a firewall policy section, and all the rules in it. Each firewall policy section can have one time window. The same time window can be applied to more than one policy section. If you want the same rule applied on different days or different times for different sites, you must create more than one policy section. Time-based rules are available for distributed and gateway firewalls on both ESXi and KVM hosts. If time windows are not verified and periodically checked, a malicious actor could create time windows to effectively disable rules while not being obvious to firewall administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251733r810053_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules.
Navigate to the offending Category and Policy section, click on the clock icon, then delete or modify the time window for that Policy. Click "Apply".
After all changes are made click "Publish".