You can find more information about the meaning of the compliance status report.
Code | Description | Compliance Status Source | Remediation |
---|---|---|---|
72001 | Encryption is deactivated. | This status is reported if a VPN IPSec Profile configuration contains NO_ENCRYPTION , NO_ENCRYPTION_AUTH_AES_GMAC_128 , NO_ENCRYPTION_AUTH_AES_GMAC_192 , or NO_ENCRYPTION_AUTH_AES_GMAC_256 encryption_algorithms.This status affects IPSec VPN session configurations which use the reported non-compliant configurations. |
To remediate this status, add a VPN IPSec Profile that uses compliant encryption algorithms and use the profile in all VPN configurations. See Add IPSec Profiles. |
72011 | BGP messages with neighbor bypass integrity check. No message authentication defined. | This status is reported if no password is configured for BGP neighbors. This status affects the BGP neighbor configuration. |
To remediate this status, configure a password on the BGP neighbor and update the tier-0 gateway configuration to use the password. See Configure BGP. |
72012 | Communication with BGP neighbor uses weak integrity check. MD5 is used for message authentication. | This status is reported if MD5 authentication is used for the BGP neighbor password. This status affects the BGP neighbor configuration. |
No remediation available as NSX-T Data Center supports only MD5 authentication for BGP. |
72021 | SSL version 3 used for establishing secure socket connection. It is recommended to run TLS v 1.1 or higher and fully deactivate SSLv3 that have protocol weaknesses. | This status is reported if SSL version 3 is configured in the load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
|
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile. |
72022 | TLS version 1.0 used for establishing secure socket connection. It is recommended to run TLS v 1.1 or higher and fully deactivate TLS v1.0 that have protocol weaknesses. | This status is reported if TLS v1.0 is configured in load balancer client SSL profile, load balancer server SSL profile, or load balancer HTTPS monitor.
This status affects the following configurations:
|
To remediate this status, configure an SSL profile to use TLS 1.1 or later and use this profile in all load balancer configurations. See Add an SSL Profile. |
72023 | Weak Diffie-Hellman group is used. | This error is reported if a VPN IPSec Profile or VPN IKE Profile configuration includes the following Diffie-Hellman groups: 2, 5, 14, 15 or 16. Groups 2 and 5 are weak Diffie-Hellman groups. Groups 14, 15, and 16 are not weak groups, but are not FIPS-compliant. This status affects IPSec VPN session configurations which use the reported non-compliant configurations. |
To remediate this status, configure the VPN Profiles to use Diffie-Hellman group 19, 20, or 21. See Adding Profiles. |
72024 | Load balancer FIPS global setting is deactivated. | This error is reported if the load balancer FIPS global setting is deactivated. This status affects all load balancer services. |
To remediate this status, enable FIPS for load balancer. See Configure Global FIPS Compliance Mode for Load Balancer. |
72025 | Quick Assist Technologies (QAT) running on Edge node is Non-FIPS Compliant. | QAT is a set of hardware accelerated services provided by Intel for cryptography and compression. | To turn off QAT usage, use the NSX CLI. For details, see "Intel QAT Support for IPSec VPN Bulk Cryptography" in the NSX-T Data Center Installation Guide. |
72200 | Insufficient true entropy available. | This status is reported when a pseudo random number generator is used to generate entropy rather than relying on hardware-generated entropy. Hardware-generated entropy is not used because the NSX Manager node does not have the required hardware acceleration support to create sufficient true entropy. |
To remediate this status, you might need to use newer hardware to run the NSX Manager node. Most recent hardware supports this feature.
Note: If the underlying infrastructure is virtual, you will not get true entropy.
|
72201 | Entropy source unknown. | This status is reported when no entropy status is available for the indicated node. | To remediate this status, verify that the indicated node is functioning properly. |
72301 | Certificate is not CA signed. | This status is reported when one of the NSX Manager certificates is not CA signed. NSX Manager uses the following certificates:
|
To remediate this status, install CA-signed certificates. See Certificates. |