Rule ID
SV-265355r994288_rule
Version
V1R2
CCIs
If unsecured protocols (lacking cryptographic mechanisms) are used for load balancing, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data at risk of compromise.
From the NSX Manager web interface, go to the Home >> Monitoring Dashboards >> Compliance Report. Review the compliance report for code 72024 with description load balancer FIPS global setting disabled. Note: This may also be checked via the API call GET https://<nsx-mgr>/policy/api/v1/infra/global-config If the global FIPS setting is disabled for load balancers, this is a finding.
Execute the following API call using curl or another REST API client:
PUT https://<nsx-mgr>/policy/api/v1/infra/global-config
Example request body:
{
"fips": {
"lb_fips_enabled": true
},
"resource_type": "GlobalConfig",
"_revision": 2
}
The global setting is used when the new load balancer instances are created. Changing the setting does not affect existing load balancer instances.
To update existing load balancers to use this setting, do the following:
From the NSX Manager web interface, go to the Networking >> Load Balancing and then click "Edit" on the target load balancer.
In the attachment field, click the "X" to detach the load balancer from its current Gateway and click "Save".
Edit the target load balancer again, reattach it to its Gateway, and then click "Save".
Caution: Detaching a load balancer from the Tier-1 gateway results in a traffic interruption for the load balancer instance.