An error occurred:

Check: SRG-NET-000236-FW-000027

Firewall SRG: SRG-NET-000236-FW-000027 (in versions v2 r3 through v1 r0.1)

Title

In the event of a system failure of the firewall function, the firewall must be configured to save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. (Cat II impact)

Discussion

Failure to a secure state can address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving state information helps to facilitate the restart of the firewall application and a return to the operational mode with less disruption. This requirement applies to a failure of the firewall function rather than the device or operating system as a whole, which is addressed in the Network Device Management SRG. Since it is usually not possible to test this functionality in a production environment, systems should be validated either in a testing environment or prior to installation. This requirement is usually a function of the design of the firewall. Compliance can be verified by acceptance/validation processes or vendor attestation.

Check Content

View the firewall failover configuration or system documentation. Verify that in the event of a system failure of the firewall function, the firewall saves diagnostic information, logs system messages, and loads the most current security policies, rules, and signatures. Testing of this functionality in a production environment is not recommended. If in the event of a system failure of the firewall function the firewall does not save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted, this is a finding.

Fix Text

Configure the firewall to fail securely in the event of a transiently corrupt state or failure condition. When the system restarts, the system boot process must not succeed without passing all self-tests for cryptographic algorithms, RNG tests, and software integrity tests.

Additional Identifiers

Rule ID: SV-206698r604133_rule

Vulnerability ID: V-206698

Group Title: SRG-NET-000236

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001665

The information system preserves organization-defined system state information in the event of a system failure.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-24

Fail In Known State