STIGQter: STIG Summary: F5 BIG-IP Advanced Firewall Manager 11.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 29 May 2015:

The BIG-IP AFM module must be configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

DISA Rule

SV-74351r1_rule

Vulnerability Number

V-59921

Group Title

SRG-NET-000019-ALG-000018

Rule Version

F5BI-AF-000007

Severity

CAT I

CCI(s)

• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.

Weight

10

Fix Recommendation

If the BIG-IP AFM module is used to support user access control intermediary services for virtual servers, configure the BIG-IP AFM module to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Check Contents

If the BIG-IP AFM module is not used to support user access control intermediary services for virtual servers, this is not applicable.

Verify the BIG-IP AFM module is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Navigate to the BIG-IP System manager >> Security >> Network Firewall >> Active Rules.

Verify an active rule is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

If the BIG-IP AFM module is not configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.

Vulnerability Number

V-59921

Documentable

False

Rule Version

F5BI-AF-000007

Severity Override Guidance

If the BIG-IP AFM module is not used to support user access control intermediary services for virtual servers, this is not applicable.

Verify the BIG-IP AFM module is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

Navigate to the BIG-IP System manager >> Security >> Network Firewall >> Active Rules.

Verify an active rule is configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

If the BIG-IP AFM module is not configured to restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic, this is a finding.

Check Content Reference

M

Target Key

2839

Comments