VMware NSX-T Distributed Firewall STIG Version Comparison

There are 2 differences between versions v1 r1 (March 30, 2022) (the "left" version) and v1 r3 (July 26, 2023) (the "right" version).

Check TDFW-3X-000002 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The NSX-T Distributed Firewall must not have any unpublished firewall policies or rules.

Check Content

From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules. If there is a message for Total Unpublished Changes and Publish is not greyed out, this is a finding.

Discussion

Unpublished firewall rules may be enabled inadvertently and cause unintended filtering or introduce unvetted/unauthorized traffic flows.

Fix

From the NSX-T Manager web interface, go to Security >> Distributed Firewall >> Category Specific Rules. Review any unpublished changes, and click either "Revert" or "Publish".