VMware NSX-T Tier 1 Gateway Firewall STIG Version Comparison

There are 4 differences between versions v1 r1 (March 30, 2022) (the "left" version) and v1 r3 (July 26, 2023) (the "right" version).

Check T1FW-3X-000002 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The NSX-T Tier-1 Gateway Firewall must not have any unpublished firewall policies or rules.

Check Content

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway, ensure there are no Unpublished changes. If there is a message for Total Unpublished Changes and Publish is not greyed out, this is a finding.

Discussion

Unpublished firewall rules may be enabled inadvertently and cause unintended filtering or introduce unvetted/unauthorized traffic flows.

Fix

From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules. For each Tier-1 Gateway with Unpublished changes, review any unpublished changes and click either "Revert" or "Publish".