The firewall must be configured to send traffic log records to a centralized events server for management and configuration of the traffic log records.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000333-FW-000014

Associated with: CCI-001844

SRG-NET-000333-FW-000014_rule The firewall must be configured to send traffic log records to a centralized events server for management and configuration of the traffic log records.

Vulnerability discussion

Without the ability to centrally manage the content captured in the traffic log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.The DoD requires centralized management of all network component audit record content. Network components requiring centralized audit log management must have the ability to support centralized management. The content captured in traffic log records must be managed from a central location (necessitating automation). Centralized management of traffic log records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Ensure at least one syslog server is configured on the firewall.If the product inherently has the ability to store log records locally, the local log must also be secured. However, this requirement is not met since it calls for a use of a central log.

Check content

Examine the audit log configuration on the firewall. Verify the firewall is configured to send traffic log audit events to the organization's central events server. If the firewall is not configured to send traffic log events to the organization's central events server, this is a finding.

Fix text

Configure the firewall to ensure traffic log events are transmitted to the organization's central events server (e.g., syslog server).

Pro Tips

Powered by sagemincer