The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.

An XCCDF Rule

Description

<VulnDiscussion>The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251749r810131_rule
Severity: High
References: CCI-001097
Updated: about 1 year ago

To configure firewall rule(s) to restrict traffic destined to interfaces on a Tier-0 Gateway do the following:

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and select the target Tier-0 Gateway from the drop-down.

Click "Add Rule" (Add a policy first if needed) and configure the destinations to include all IPs for external interfaces.
Update the action to "Drop" or "Reject".

Enable logging, then under the "Applied To" field, select the target Tier-0 Gateways and click "Publish" to enforce the new rule.

Other rules may be constructed to allow traffic to external interface IPs if required above this default deny rule.

The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.

Description

Remediation - Manual Procedure