STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to only allow incoming communications from authorized sources routed to authorized destinations.

DISA Rule

SV-215794r557356_rule

Vulnerability Number

V-215794

Group Title

SRG-NET-000364-ALG-000122

Rule Version

F5BI-LT-000223

Severity

CAT II

CCI(s)

• CCI-002403 - The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

Weight

10

Fix Recommendation

If user packet-filtering intermediary services are provided, configure the BIG-IP Core as follows:

Configure a policy in the BIG-IP AFM module to only allow incoming communications from authorized sources routed to authorized destinations.

Apply the AFM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to only allow incoming communications from authorized sources routed to authorized destinations.

Check Contents

If the BIG-IP Core does not perform packet-filtering intermediary services for virtual servers, this is not applicable.

When packet-filtering intermediary services are performed, verify the BIG-IP Core is configured to only allow incoming communications from authorized sources routed to authorized destinations as follows:

Verify Virtual Server(s) are configured in the BIG-IP LTM module with policies to only allow incoming communications from authorized sources routed to authorized destinations.

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Navigate to the Security >> Policies tab.

Verify that "Network Firewall" Enforcement is set to "Policy Rules..." and "Policy" is set to use an AFM policy to only allow incoming communications from authorized sources routed to authorized destinations.

If the BIG-IP Core is configured to allow incoming communications from unauthorized sources routed to unauthorized destinations, this is a finding.

Vulnerability Number

V-215794

Documentable

False

Rule Version

F5BI-LT-000223

Severity Override Guidance

If the BIG-IP Core does not perform packet-filtering intermediary services for virtual servers, this is not applicable.

When packet-filtering intermediary services are performed, verify the BIG-IP Core is configured to only allow incoming communications from authorized sources routed to authorized destinations as follows:

Verify Virtual Server(s) are configured in the BIG-IP LTM module with policies to only allow incoming communications from authorized sources routed to authorized destinations.

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Navigate to the Security >> Policies tab.

Verify that "Network Firewall" Enforcement is set to "Policy Rules..." and "Policy" is set to use an AFM policy to only allow incoming communications from authorized sources routed to authorized destinations.

If the BIG-IP Core is configured to allow incoming communications from unauthorized sources routed to unauthorized destinations, this is a finding.

Check Content Reference

M

Target Key

4019

Comments