An error occurred:

Check: JUEX-RT-000260

Juniper EX Series Switches Router STIG: JUEX-RT-000260 (in versions v1 r3 through v1 r1)

Title

The Juniper router must be configured to log all packets that have been dropped. (Cat III impact)

Discussion

Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.

Check Content

Review the router interface firewall filters to verify all deny statements are logged. At a minimum, all discarding filter terms must have the "syslog" action enabled. Verify all discarding firewall filter terms are configured with (minimally) the "syslog" action: [edit firewall] family inet { filter <filter name> { term <name> { from { <match conditions>; } then { log; syslog; <<< Must be enabled for local and external syslog. discard; } } } } family inet6 { filter <filter name> { term <name> { from { <match conditions>; } then { log; syslog; <<< Must be enabled for local and external syslog. discard; } } } } If packets being dropped are not logged, this is a finding.

Fix Text

Configure interface firewall filters to log all deny statements. All discarding firewall filter terms: <filter terms and match conditions> set firewall family inet filter <filter name> term <name> then log set firewall family inet filter <filter name> term <name> then syslog <<< Minimally must be configured for all discarding filter terms. set firewall family inet filter <filter name> term <name> then discard <filter terms and match conditions> set firewall family inet6 filter <filter name> term <name> then log set firewall family inet6 filter <filter name> term <name> then syslog <<< Minimally must be configured for all discarding filter terms. set firewall family inet6 filter <filter name> term <name> then discard

Additional Identifiers

Rule ID: SV-253998r844027_rule

Vulnerability ID: V-253998

Group Title: SRG-NET-000078-RTR-000001

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000134

The information system generates audit records containing information that establishes the outcome of the event.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3

Content Of Audit Records