topic Re: fail to secure state in Network Security

fail to secure state

Jeff Horton — Tue, 23 Aug 2022 17:27:24 GMT

Is there a way to configure the ASA 5555X to fail to a secure state upon a failure?

Re: fail to secure state

Marvin Rhoads — Tue, 23 Aug 2022 17:43:17 GMT

Failure can mean many things - from the box crashing to an interface going down to a bug causing certain traffic to be mishandled. Obviously if the former happens no traffic will pass through the device. I suppose you could call that "fail to a secure state".

We would need to know more about the context of your question to answer your original question better.

Re: fail to secure state

Jeff Horton — Tue, 23 Aug 2022 18:00:10 GMT

There is a DISA STIG that has the following requirement: The firewall must fail to a secure state upon the failure of the following: system initialization, shutdown, or system abort.

Thanks for the quick response.

Re: fail to secure state

Jeff Horton — Tue, 23 Aug 2022 18:05:41 GMT

The fix text says: Configure the firewall to stop forwarding traffic or maintain the configured security policies up the failure of the following actions: system initialization, shutdown, or system abort.

Could I create an EEM that shuts down ports incase of one of the actions? If so, what syslog id would I get the EEM to monitor?

Sorry for so many questions. This has been biting me for a long time now and I have to fix with a solution or they will have to accept a risk acceptance.

Re: fail to secure state

Jeff Horton — Wed, 24 Aug 2022 01:34:56 GMT

I believe I have found the answer in another question in the community forum.

https://community.cisco.com/t5/network-security/when-an-asa-device-fails-does-it-fail-in-open-state-or-closed/m-p/1631848/highlight/true