Forescout must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and Forescout for the purposes of client posture assessment. This is required for compliance with C2C Step 1.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-233332 | FORE-NC-000270 | SV-233332r811414_rule | Medium |
| Description |
| Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. |
| STIG | Date |
| Forescout Network Access Control Security Technical Implementation Guide | 2025-06-12 |
Details
| Check Text (C-36527r811413_chk) |
| If DoD is not at C2C Step 1 or higher, this is not a finding. Verify Forescout is configured to a list of DoD-approved certificate types and CAs. Verify the TLS session is configured to automatically terminate any session if the client does not have a suitable certificate. For TLS connections, if Forescout is not configured to use TLS 1.2 at a minimum, this is a finding. |
| Fix Text (F-36492r803481_fix) |
| Configure the SecureConnector to ensure the minimum supported TLS version is set to TLS 1.2. Log on to the Forescout UI. 1. Select Tools >> Options >> Certificates. 2. Check the Ongoing TLS Sessions section, view the Re-verify TLS Sessions. 3. Change the Re-verify TLS Sessions to Every 1 Day or in accordance with the site's SSP, then click "Apply". 4. Next, select the HPS Inspection Engine >> SecureConnector. 5. In the Client-Server Connection, ensure the Minimum Supported TLS Version is set to TLS version 1.2. |