The NIT has issued a technical decision for Conflicting FW rules cannot be configured

For FFW_RUL_EXT.1.8 TSS Section the following paragraph shall be added:

”If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the TSS shall describe the underlying mechanism.”

For FFW_RUL_EXT.1.8 Test 1 shall be modified as follows:

Test 1: If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the evaluator shall try to configure two conflicting rules and verify that the TOE rejects the conflicting rule(s). It is important to verify that the mechanism is implemented in the TOE but not in the non-TOE environment. If the TOE does not implement a mechanism that ensures that no conflicting rules can be configured, the evaluator shall devise two equal stateful traffic filtering rules with alternate operations – permit and drop. The rules should then be deployed in two distinct orders and in each case the evaluator shall ensure that the first rule is enforced in both cases by generating applicable packets and using packet capture and logs for confirmation.

For further information, please see the NIT interpretation at:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI201837.pdf

See issue description