The Edge SWG must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279268	SRG-APP-000395-NDM-000310	SYME-ND-000710	SV-279268r1170603_rule	2025-12-18	1

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet). Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.

ℹ️ Check
1. Log in to the Edge SWG SSH CLI. 2. Enter "show snmp". If the line for SNMPv1 and SNMPv2c does not say "disabled", this is a finding. Below is an example of what the line will look in a correct state: "SNMPv1 is disabled. SNMPv2c is disabled."

✔️ Fix
1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "SNMP" and "SNMP" areas. 3. Under "V3 Users", click "Add User". 4. Enter the username. 5. Select "SHA" for authentication and type a passphrase. 6. Select AES and type a passphrase. 7. Under "V3 Traps and Informs", add a trap destination if applicable. 1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "Services" and "Management Services" areas. 3. Enable SNMP, add the listener for both IPv4 and IPv6. 1. In the Edge SWG Web UI, navigate to the Visual Policy Manager. Note: Ensure the Admin Access Layer was created before moving on to this step. 2. Under the "Admin Access Layer", click "Add Rule". 3. Under "Source", select "Any". 4. Under "Service", select "Service Name: SNMP". 5. Under "Action", select "Allow Read-only Access". 6. Apply the policy.

✔️ Fix

1. In the Edge SWG Web UI, navigate to the Administration tab. 2. Select the "SNMP" and "SNMP" areas. 3. Under "V3 Users", click "Add User". 4. Enter the username. 5. Select "SHA" for authentication and type a passphrase. 6. Select AES and type a passphrase. 7. Under "V3 Traps and Informs", add a trap destination if applicable. 1. In the Edge SWG Web UI, navigate to the Configuration tab. 2. Select the "Services" and "Management Services" areas. 3. Enable SNMP, add the listener for both IPv4 and IPv6. 1. In the Edge SWG Web UI, navigate to the Visual Policy Manager. Note: Ensure the Admin Access Layer was created before moving on to this step. 2. Under the "Admin Access Layer", click "Add Rule". 3. Under "Source", select "Any". 4. Under "Service", select "Service Name: SNMP". 5. Under "Action", select "Allow Read-only Access". 6. Apply the policy.