Rule ID
SV-265443r999917_rule
Version
V1R2
CCIs
The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Redirect ICMP messages are commonly used by attackers for network mapping and diagnosis.
If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> Gateway Specific Rules, and choose each Tier-0 Gateway in the drop-down menu. Review each Tier-0 Gateway Firewalls rules to verify one exists to drop ICMP redirects. If a rule does not exist to drop ICMP redirects, this is a finding.
To configure a shared rule to drop ICMP unreachable messages, do the following: From the NSX Manager web interface, go to Security >> Policy Management >> Gateway Firewall >> All Shared Rules. Click "Add Rule" (add a policy first if needed). Under "Services", select "ICMP Redirect", and then click "Apply". To enable logging, under the "Applied To" field, select the target Tier-0 gateways' external interfaces, and then click "Publish" to enforce the new rule. Note: A rule can also be created under Gateway Specific Rules to meet this requirement.