You can find more information about the meaning of the compliance status report.

Table 1. Compliance Report Codes
Code Description Compliance Status Source Remediation
72001 Encryption is disabled. This status is reported if a VPN IPSec Profile configuration contains NO_ENCRYPTION, NO_ENCRYPTION_AUTH_AES_GMAC_128, NO_ENCRYPTION_AUTH_AES_GMAC_192, or NO_ENCRYPTION_AUTH_AES_GMAC_256 encryption_algorithms.

This status affects IPSec VPN session configurations which use the reported non-compliant configurations.

To remediate this status, add a VPN IPSec Profile that uses compliant encryption algorithms and use the profile in all VPN configurations. See Add IPSec Profiles.
72011 BGP messages with neighbor bypass integrity check. No message authentication defined. This status is reported if no password is configured for BGP neighbors.

This status affects the BGP neighbor configuration.

To remediate this status, configure a password on the BGP neighbor and update the tier-0 gateway configuration to use the password. See Configure BGP.
72012 Communication with BGP neighbor uses weak integrity check. MD5 is used for message authentication. This status is reported if MD5 authentication is used for the BGP neighbor password.

This status affects the BGP neighbor configuration.

No remediation available as NSX-T Data Center supports only MD5 authentication for BGP.
72021 SSL version 3 used for establishing secure socket connection. It is recommended to run TLSv 1.1 or higher and fully disable SSLv3 that have protocol weaknesses. This status is reported if SSL version 3 is configured in the load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
  • Load balancer pools that are associated with HTTPS monitors.
  • Load balancer virtual servers that are associated with load balancer client SSL profiles or server SSL profiles.
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile.
72022 TLS version 1.0 used for establishing secure socket connection. It is recommended to run TLSv 1.1 or higher and fully disable TLSv1.0 that have protocol weaknesses. This status is reported if TLSv1.0 is configured in load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
  • Load balancer pools that are associated with HTTPS monitors.
  • Load balancer virtual servers that are associated with load balancer client SSL profiles or server SSL profiles.
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile.
72023 Weak Diffie-Hellman group is used. This error is reported if a VPN IPSec Profile or VPN IKE Profile configuration includes the following Diffie-Hellman groups: 2, 5, 14, 15 or 16. Groups 2 and 5 are weak Diffie-Hellman groups. Groups 14, 15, and 16 are not weak groups, but are not FIPS-compliant.

This status affects IPSec VPN session configurations which use the reported non-compliant configurations.

To remediate this status, configure the VPN Profiles to use Diffie-Hellman group 19, 20, or 21. See Adding Profiles.
72024 Load balancer FIPS global setting is disabled. This error is reported if the load balancer FIPS global setting is disabled.

This status affects all load balancer services.

To remediate this status, enable FIPS for load balancer. See Configure Global FIPS Compliance Mode for Load Balancer.
72200 Insufficient true entropy available. This status is reported when a pseudo random number generator is used to generate entropy rather than relying on hardware-generated entropy.

Hardware-generated entropy is not used because the NSX Manager node does not have the required hardware acceleration support to create sufficient true entropy.

To remediate this status, you might need to use newer hardware to run the NSX Manager node. Most recent hardware supports this feature.
Note: If the underlying infrastructure is virtual, you will not get true entropy.
72201 Entropy source unknown. This status is reported when no entropy status is available for the indicated node. To remediate this status, verify that the indicated node is functioning properly.
72301 Certificate is not CA signed. This status is reported when one of the NSX Manager certificates is not CA signed. NSX Manager uses the following certificates:
  • Syslog certificate.
  • API certificates for the individual NSX Manager nodes.
  • Cluster certificate used for the NSX ManagerVIP.
To remediate this status, install CA-signed certificates. See Setting Up Certificates.