The Cisco ACI must be configured to log all packets that have been dropped.
Overview
Finding ID
Version
Rule ID
IA Controls
Severity
V-272075
CACI-RT-000015
SV-272075r1114309_rule
Low
Description
Auditing and logging are key components of any security architecture. It is essential for security personnel to know what is being done or attempted to be done, and by whom, to compile an accurate risk assessment. Auditing the actions on network devices provides a means to recreate an attack or identify a configuration mistake on the device.
To configure Cisco ACI to log all dropped packets, enable the "OpFlex Drop Log" feature, which allows logging of any packet dropped in the data path, essentially capturing all dropped packets due to policy mismatches or other reasons within the network fabric. This is done by setting the "log" directive within security policies when defining filter rules on contracts within the tenant.
Use the APIC GUI to navigate to each tenant. Within each contract, review each rule with "Action" set to "Deny". Verify these rules have the "Directive" set to "Log".
If packets being dropped at interfaces are not logged, this is a finding.
Fix Text (F-76032r1064190_fix)
Configure ACLs to log packets that are dropped. Use the APIC GUI to navigate to each tenant:
1. Go to the contract section and either create a new contract or modify an existing one where drop logging is to be implemented.
2. Within the contract, create the necessary filter rules based on the desired criteria (e.g., source/destination IP, port, protocol) and set the "Action" to "Deny" with the "Directive" set to "Log".
3. Assign the contract to the relevant endpoint groups (EPGs) to enforce the policy on traffic between them.