| ARBA-VN-000040 - AOS, when used as a VPN Gateway, must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | ACCESS CONTROL |
| ARBA-VN-000110 - The Remote Access VPN Gateway and/or client must display the Standard Mandatory DOD Notice and Consent Banner before granting remote access to the network. | ACCESS CONTROL |
| ARBA-VN-000170 - AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number. | ACCESS CONTROL |
| ARBA-VN-000220 - AOS, when used as a VPN Gateway, must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-000470 - The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). | CONFIGURATION MANAGEMENT |
| ARBA-VN-000480 - For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave. | CONFIGURATION MANAGEMENT |
| ARBA-VN-000490 - The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-000540 - AOS, when used as a VPN Gateway, must uniquely identify all network-connected endpoint devices before establishing a connection. | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-000560 - AOS, when used as a VPN Gateway and using public key infrastructure (PKI)-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-000580 - The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication. | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-000710 - AOS, when used as a VPN Gateway, must be configured to route sessions to an intrusion detection and prevention system (IDPS) for inspection. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-000720 - AOS, when used as a VPN Gateway, must terminate all network connections associated with a communications session at the end of the session. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-000721 - The Remote Access VPN Gateway must terminate remote access network connections after an organization-defined time period. | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-001090 - AOS, when used as an IPsec VPN Gateway, must use Advanced Encryption Standard (AES) encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-001300 - AOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization. | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-001370 - AOS, when used as a VPN Gateway, must authenticate all network-connected endpoint devices before establishing a connection. | IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-001460 - AOS, when used as a VPN Gateway, must use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-001620 - AOS, when used as a VPN Gateway, must disable split-tunneling for remote client VPNs. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-001640 - AOS, when used as an IPsec VPN Gateway, must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARBA-VN-002220 - AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs). | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| ARBA-VN-002430 - AOS, when used as a VPN Gateway, must not accept certificates that have been revoked when using PKI for authentication. | IDENTIFICATION AND AUTHENTICATION |