Title

The firewall must be configured to allow authorized users to record a packet capture based IP, traffic type (TCP, UDP, or ICMP), or protocol. (Cat II impact)

Discussion

Without the ability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered. This configuration ensures the ability to select specific sessions to capture in order to support general auditing/incident investigation or to validate suspected misuse.

Check Content

View the documented process for packet capture. Verify the firewall allows authorized users to perform a packet capture based on IP, traffic type (TCP, UDP, or ICMP), or protocol. If the firewall is not configured to allow authorized users to capture, record, and log all content related to a user session, this is a finding.

Fix Text

Document a process for authorized users to capture, record, and log all content based on IP, traffic type (TCP, UDP, or ICMP), or protocol.

Additional Identifiers

Rule ID: SV-206712r604133_rule

Vulnerability ID: V-206712

Group Title: SRG-NET-000399

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.