You can find more information about the meaning of the compliance status report.
| Code | Description | Compliance Status Source | Remediation |
|---|---|---|---|
| 72001 | Encryption is disabled. | This status is reported if a VPN IPSec Profile configuration contains NO_ENCRYPTION, NO_ENCRYPTION_AUTH_AES_GMAC_128, NO_ENCRYPTION_AUTH_AES_GMAC_192, or NO_ENCRYPTION_AUTH_AES_GMAC_256 encryption_algorithms.This status affects IPSec VPN session configurations which use the reported non-compliant configurations. |
To remediate this status, add a VPN IPSec Profile that uses compliant encryption algorithms and use the profile in all VPN configurations. See Add IPSec Profiles. |
| 72011 | BGP messages with neighbor bypass integrity check. No message authentication defined. | This status is reported if no password is configured for BGP neighbors. This status affects the BGP neighbor configuration. |
To remediate this status, configure a password on the BGP neighbor and update the tier-0 gateway configuration to use the password. See Configure BGP. |
| 72012 | Communication with BGP neighbor uses weak integrity check. MD5 is used for message authentication. | This status is reported if MD5 authentication is used for the BGP neighbor password. This status affects the BGP neighbor configuration. |
No remediation available as NSX-T Data Center supports only MD5 authentication for BGP. |
| 72021 | SSL version 3 used for establishing secure socket connection. It is recommended to run TLSv 1.1 or higher and fully disable SSLv3 that have protocol weaknesses. | This status is reported if SSL version 3 is configured in the load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
|
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile. |
| 72022 | TLS version 1.0 used for establishing secure socket connection. It is recommended to run TLSv 1.1 or higher and fully disable TLSv1.0 that have protocol weaknesses. | This status is reported if TLSv1.0 is configured in load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
|
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile. |
| 72023 | Weak Diffie-Hellman group is used. | This error is reported if a VPN IPSec Profile or VPN IKE Profile configuration includes the following Diffie-Hellman groups: 2, 5, 14, 15 or 16. Groups 2 and 5 are weak Diffie-Hellman groups. Groups 14, 15, and 16 are not weak groups, but are not FIPS-compliant. This status affects IPSec VPN session configurations which use the reported non-compliant configurations. |
To remediate this status, configure the VPN Profiles to use Diffie-Hellman group 19, 20, or 21. See Adding Profiles. |
| 72024 | Load balancer FIPS global setting is disabled. | This error is reported if the load balancer FIPS global setting is disabled. This status affects all load balancer services. |
To remediate this status, enable FIPS for load balancer. See Configure Global FIPS Compliance Mode for Load Balancer. |
| 72200 | Insufficient true entropy available. | This status is reported when a pseudo random number generator is used to generate entropy rather than relying on hardware-generated entropy. Hardware-generated entropy is not used because the NSX Manager node does not have the required hardware acceleration support to create sufficient true entropy. |
To remediate this status, you might need to use newer hardware to run the NSX Manager node. Most recent hardware supports this feature.
Note: If the underlying infrastructure is virtual, you will not get true entropy.
|
| 72201 | Entropy source unknown. | This status is reported when no entropy status is available for the indicated node. | To remediate this status, verify that the indicated node is functioning properly. |
| 72301 | Certificate is not CA signed. | This status is reported when one of the NSX Manager certificates is not CA signed. NSX Manager uses the following certificates:
|
To remediate this status, install CA-signed certificates. See Certificates. |
