In the event that communication with the centralized or other primary events server is lost, the firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.

From Firewall Security Requirements Guide Requirements

Part of SRG-NET-000335-FW-000017

Associated with: CCI-001858

SRG-NET-000335-FW-000017_rule In the event that communication with the centralized or other primary events server is lost, the firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.

Vulnerability discussion

Without a real-time alert (less than a second), security personnel may be unaware of an impending failure of the audit functions and system operation may be adversely impacted.Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reached or exceeded. Most firewalls use UDP to send audit records to the server and cannot tell if the server has received the transmission. Another method such as a keep-alive with the events server may be required.Alerts provide organizations with urgent messages. Automated alerts can be conveyed in a variety of ways, including via a regularly monitored console, telephonically, via electronic mail, via text message, or via websites.

Check content

If a network device such as the events, network management, or SNMP server is configured to send an alert when communication is lost with the primary/centralized events server, this is not a finding. Verify the firewall is configured to send an alert via instant message, email, SNMP, or another authorized method to the SCA, ISSO, and other identified personnel when communication is lost with the primary/centralized events server. If the firewall is not configured to send an alert via an approved and immediate method for any log failure event where communication is lost with the primary/centralized events server, this is not a finding.

Fix text

Configure the firewall (or another network device) to send an alert via instant message, email, or another authorized method to the SCA, ISSO, and other identified personnel for any log failure event where the filtering functions are unable to write events to the primary/centralized events server. Either implement a connection-oriented communications solution (e.g., TCP) or implement a heartbeat with the centralized events server and send an alert if it is unreachable.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer