DISA STIG Cisco ASA FW v1r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Cisco ASA FW v1r2

Updated: 5/31/2023

Authority: DISA STIG

Plugin: Cisco

Revision: 1.3

Estimated Item Count: 57

Audit Items

DescriptionCategories
CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services - ACL Applied
CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services - ingress ACL
CASA-FW-000020 - The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules - VPN Group Policy
CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules - VPN Rules
CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Log Parameters
CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Logging Enabled
CASA-FW-000050 - The Cisco ASA must be configured to generate traffic log entries containing information to establish when (date and time) the events occurred.
CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - Buffer Enabled
CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - Queue
CASA-FW-000100 - The Cisco ASA must be configured to use TCP when sending log records to the central audit server - Logging Host
CASA-FW-000100 - The Cisco ASA must be configured to use TCP when sending log records to the central audit server - Logging Permit-hostdown
CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - HTTP
CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - Telnet
CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
CASA-FW-000170 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments - ACL
CASA-FW-000170 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments - Interface
CASA-FW-000200 - The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis - Logging Host
CASA-FW-000200 - The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis - Trap Notification
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-address
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Logging Errors
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Recipient-address
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Severity
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - smtp
CASA-FW-000220 - The Cisco ASA must be configured to implement scanning threat detection.
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - ACL
CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - Interface
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - ACL
CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces - Interface
CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic - ACL
CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic - Interface
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - ACL
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - authentication
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - crypto ipsec
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - encryption
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - group
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - hash sha
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - inside interface
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - lifetime
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - match address
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - outside interface
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set ikev1
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set lifetime
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set peer
CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - tunnel-group
CASA-FW-000270 - The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.
CASA-FW-000280 - The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - ACL
CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - network-object
CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF) - URF