The NSX-T Manager must enable the global FIPS compliance mode for load balancers.

An XCCDF Rule

Description

<VulnDiscussion>If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at risk of compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251800r879588_rule
Severity: Medium
References: CCI-000382
Updated: about 1 year ago

Execute the following API call using curl or another REST API client:

PUT https://<nsx-mgr>/policy/api/v1/infra/global-config

Example request body:
{
    "fips": {
        "lb_fips_enabled": true
    },
    "resource_type": "GlobalConfig",
    "_revision": 2
}

The global setting is used when the new load balancer instances are created. Changing the setting does not affect existing load balancer instances.

To update existing load balancers to use this setting, do the following:

From the NSX-T Manager web interface, go to the Networking >> Load Balancing  and then click "Edit" on the target load balancer.

In the attachment field, click the "X" to detach the load balancer from its current Gateway and click "Save".

Edit the target load balancer again, reattach it to its Gateway, and then click "Save".

Caution: Detaching a load balancer from the tier-1 gateway results in a traffic interruption for the load balancer instance.

The NSX-T Manager must enable the global FIPS compliance mode for load balancers.

Description

Remediation - Manual Procedure