Broadcom is a trusted partner in highly secure, mission-critical systems around the world, including the US Department of Defense (DOD). In the DOD, all IT systems must adhere to the rigorous Risk Management Framework (RMF) that is defined in DoDI 8510.01. A critical component of RMF is the mandatory implementation of Security Technical Implementation Guides (STIGs) and Security Requirements Guidelines (SRGs) as maintained by the Defense Information Systems Agency (DISA).  To serve our customers in the DOD and others who wish to meet the bar set by the DOD, Broadcom has engaged with DISA to produce the Edge SWG STIG through their vendor STIG development process.

To achieve the goal of adhering to the DOD requirements that the STIGs outline, follow the steps in this KB article to learn how to apply policy.

Apply the following policies on your Edge SWG appliance. The policies are written in Content Policy Language (CPL) and are not available as Web VPM objects.

There are 5 CPL layers attached to this KB:

1. H2 Console.txt—This policy requires all incoming management connections to use the HTTP/2.0 protocol.
2. AdminLoginBanner.txt—This policy provides the mandatory DOD Notice and Consent banner prior to identification and authentication to the web management interface. It also ensures that CAC authentication is supported over the web management interface.
3. ProxyTrafficLoginBanner.txt—This policy provides the mandatory DOD Notice and Consent banner prior to identification and authentication for proxy traffic users.
4. ProxyAuthLayer.txt—This policy enables CAC authentication for proxy traffic users and provides the DOD Notice and Consent banner.
5. DNSIPv6Lookup.txt—This policy specifies that IPv6 is preferred when available.

You must add these policy files to the CPL file on the Edge SWG appliance after you perform the following actions on each file:

H2 Console.txt

• On line 3, ensure the client_issuer_keyring is the keyring that the management console listener trusts.

AdminLoginBanner.txt

• On lines 16, 28, and 147, ensure that the service.name of the H2-Console is the same service name created in the Configuration > Services > Proxy Services menu of the Admin Console.
• On lines 15, 95, and 151, ensure that the service.name of the CAC-MC-Notify is the same service name created in the Configuration > Services > Proxy Services menu of the Admin Console. 
• On lines 19 and 25, confirm that the service.name of the HTTPS-Console is the same as the service name created in the Configuration > Services > Proxy Services menu of the Admin Console.
• To change the Notice and Consent banner, change the title on lines 41 and 161, and change the contents of the banner between lines 113 through 12, and 177 through 191.

ProxyTrafficLoginBanner.txt

• To change the Notice and Consent banner, change the title on line 97, and change the contents of the banner between lines 113 through 127.
• On line 414, ensure you update the service name listed here service.name=!H2-Console to match the name of the H2 Console service under the Configuration > Services > Proxy Services menu of the Admin Console.
• On line 426, ensure you update the hostname listed here url.domain=!"tditwbcsg001.dod.local" to the hostname specific to the deployment environment.

ProxyAuthLayer.txt

• On line 5, ensure that the service names listed here service.name=!(CAC-MC-Notify,H2-Console) match the names of the services under the Configuration > Services > Proxy Services menu of the Admin Console.

DNSIPv6Lookup.txt

• No changes are required.

Once you have downloaded all 5 CPL layers and modified them as noted above, use the Visual Policy Manager (VPM) to copy and paste each of the files into a new CPL layer:

1. In the VPM, click Add Layer:
   
2. In the Add a Layer window, select CPL:
   
3. Copy and paste the contents of the modified file into the CPL layer. Repeat these steps for each of the 5 CPL layers. The following image is an example of what the VPM looks like after all 5 layers have been added:

NOTE: Ensure you have created all 5 CPL layers and have placed them in the order shown in the previous image. If they are not in the correct order, move the layers by dragging and dropping them.