The Edge SWG must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279177	SRG-NET-000061-ALG-000009	SYME-00-004200	SV-279177r1170662_rule	2025-12-16	1

Description
Automated monitoring of remote access traffic allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities. Remote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic. Satisfies: SRG-NET-000061-ALG-000009, SRG-NET-000074-ALG-000043, SRG-NET-000075-ALG-000044, SRG-NET-000076-ALG-000045, SRG-NET-000077-ALG-000046, SRG-NET-000078-ALG-000047, SRG-NET-000079-ALG-000048, SRG-NET-000331-ALG-000041, SRG-NET-000334-ALG-000050, SRG-NET-000402-ALG-000130, SRG-NET-000492-ALG-000027, SRG-NET-000511-ALG-000051, SRG-NET-000513-ALG-000026

Description

Automated monitoring of remote access traffic allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities. Remote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. With outbound traffic inspection, traffic must be inspected prior to being forwarded to destinations outside of the enclave, such as external email traffic. Satisfies: SRG-NET-000061-ALG-000009, SRG-NET-000074-ALG-000043, SRG-NET-000075-ALG-000044, SRG-NET-000076-ALG-000045, SRG-NET-000077-ALG-000046, SRG-NET-000078-ALG-000047, SRG-NET-000079-ALG-000048, SRG-NET-000331-ALG-000041, SRG-NET-000334-ALG-000050, SRG-NET-000402-ALG-000130, SRG-NET-000492-ALG-000027, SRG-NET-000511-ALG-000051, SRG-NET-000513-ALG-000026

ℹ️ Check
1. In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). 2. Navigate to "Administration and Event Logging". 3. Scroll down to "Syslog Loghosts". If there is no Web Access Layer this is a finding. If there is a Web Access Layer, but the Track is not set or not configured, this is a finding. If no log hosts are configured, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the VPM. 2. Select the Web Access Layer. 3. Click the first block or allow rule. 4. Left-click "Track". 5. Click "Set". 6. Click "Add New Object". 7. Click "Event Log". 8. Under "Details" add the following: $(appliance.name)$(appliance.primary_address)$(c-ip)$(c-port)$(c-uri)$(c-uri-address)$(c-uri-cookie-domain)$(c-uri-extension)$(c-uri-host)$(c-uri-hostname)$(c-uri-path)$(c-uri-pathquery)$(client.address)$(client.certificate.subject)$(client.host)$(client.public_address)$(cs-auth-group)$(cs-categories-policy)$(date)$(user.name)$(user.x509.subject) 9. Under "Category", click "All". 10. Under "Display Options", click "Both". 11. Click "Apply". 12. Repeat these steps for each rule under the Web Access Layer. 13. Click "Apply Policy". 1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Go to "Logging and Event Logging". 3. Scroll down to "syslog loghosts". 4. Click "Add Loghost". 5. Select "TLS". 6. Enter the hostname of the syslog server. 7. Enter the port. For TLS, it is normally 6514. 8. Select the SSL Device Profile that will be used. (Note: The SSL device profile must include the CA certificate chain that signed the certificate of the syslog server if it is different from the ones that signed the web server certificate).

✔️ Fix

1. In the Edge SWG Web UI, navigate to the VPM. 2. Select the Web Access Layer. 3. Click the first block or allow rule. 4. Left-click "Track". 5. Click "Set". 6. Click "Add New Object". 7. Click "Event Log". 8. Under "Details" add the following: $(appliance.name)$(appliance.primary_address)$(c-ip)$(c-port)$(c-uri)$(c-uri-address)$(c-uri-cookie-domain)$(c-uri-extension)$(c-uri-host)$(c-uri-hostname)$(c-uri-path)$(c-uri-pathquery)$(client.address)$(client.certificate.subject)$(client.host)$(client.public_address)$(cs-auth-group)$(cs-categories-policy)$(date)$(user.name)$(user.x509.subject) 9. Under "Category", click "All". 10. Under "Display Options", click "Both". 11. Click "Apply". 12. Repeat these steps for each rule under the Web Access Layer. 13. Click "Apply Policy". 1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Go to "Logging and Event Logging". 3. Scroll down to "syslog loghosts". 4. Click "Add Loghost". 5. Select "TLS". 6. Enter the hostname of the syslog server. 7. Enter the port. For TLS, it is normally 6514. 8. Select the SSL Device Profile that will be used. (Note: The SSL device profile must include the CA certificate chain that signed the certificate of the syslog server if it is different from the ones that signed the web server certificate).