F5 BIG-IP TMOS Firewall Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-09-09
  • Released: 2024-09-26
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The F5 BIG-IP appliance that filters traffic from the VPN access points must be configured with organization-defined filtering rules that apply to the monitoring of remote access traffic.
AC-17 - Medium - CCI-000067 - V-266254 - SV-266254r1024572_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
F5BI-FW-300001
Vuln IDs
  • V-266254
Rule IDs
  • SV-266254r1024572_rule
Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
Checks: C-70178r1024326_chk

If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Access Control Lists are assigned in an "Advanced Resource Assign" object in the Visual Policy Editor. If the VPN is terminated directly on the BIG-IP appliance configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, and there is no Access Control List assigned in the Access Profile, this is a finding. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If the BIG-IP appliance filters traffic from the VPN access points and there are no rules configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, this is a finding.

Fix: F-70081r1024327_fix

If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Add an "Advanced Resource Assign" object in the Visual Policy Editor and add an Access Control List in accordance with the SSP and site configuration documentation. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Add rules to filter VPN traffic. 6. Click "Commit Changes to System".

c
The F5 BIG-IP appliance must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, including perimeter firewalls and server VLANs.
AC-4 - High - CCI-001414 - V-266255 - SV-266255r1024867_rule
RMF Control
AC-4
Severity
High
CCI
CCI-001414
Version
F5BI-FW-300002
Vuln IDs
  • V-266255
Rule IDs
  • SV-266255r1024867_rule
Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. The firewall that filters traffic outbound to interconnected networks with different security policies must be configured with filters (e.g., rules, access control lists [ACLs], screens, and policies) that permit, restrict, or block traffic based on organization-defined traffic authorizations. Filtering must include packet header and packet attribute information, such as IP addresses and port numbers. Configure filters to perform certain actions when packets match specified attributes, including the following actions: - Apply a policy. - Accept, reject, or discard the packets. - Classify the packets based on their source address. - Evaluate the next term in the filter. - Increment a packet counter. - Set the packets' loss priority. - Specify an IPsec SA (if IPsec is used in the implementation). - Specify the forwarding path. - Write an alert or message to the system log.
Checks: C-70179r1024329_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules in the policy do not use packet headers and packet attributes, including source and destination IP addresses and ports, this is a finding.

Fix: F-70082r1024330_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports in accordance with the SSP and site configuration documentation.

b
The F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.
AU-3 - Medium - CCI-000130 - V-266256 - SV-266256r1024869_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
F5BI-FW-300005
Vuln IDs
  • V-266256
Rule IDs
  • SV-266256r1024869_rule
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit event content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the network element logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element. Satisfies: SRG-NET-000074-FW-000009, SRG-NET-000075-FW-000010, SRG-NET-000076-FW-000011, SRG-NET-000077-FW-000012, SRG-NET-000078-FW-000013, SRG-NET-000492-FW-000006, SRG-NET-000493-FW-000007, SRG-NET-000333-FW-000014
Checks: C-70180r1024014_chk

From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Network Firewall tab. 6. Select a Log Publisher to use (for production environments, use Remote High Speed Logging). 7. Verify at least the "Accept", "Drop", and "Reject" Log Rule Matches boxes are checked, along with any other settings to be enabled. From the BIG-IP Console, type the following commands: tmsh list security log profile global-network Note: Verify the log-acl-match-accept, log-acl-match-drop, and log-acl-match-reject settings are enabled. If the BIG-IP is not configured to generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule, this is a finding.

Fix: F-70083r1024868_fix

From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Network Firewall tab. 6. Select a Log Publisher to use (for production environments, use Remote High Speed Logging). 7. Check the "Accept", "Drop", and "Reject" Log Rule Matches boxes are checked, along with any other settings to be enabled. 8. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify security log profile global-network network modify { all { filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } publisher <publisher name> } } tmsh save sys config Refer to vendor documentation for more information.

a
In the event that communication with the central audit server is lost, the F5 BIG-IP appliance must continue to queue traffic log records locally.
AU-5 - Low - CCI-000140 - V-266257 - SV-266257r1024871_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-000140
Version
F5BI-FW-300012
Vuln IDs
  • V-266257
Rule IDs
  • SV-266257r1024871_rule
It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. In accordance with DOD policy, the traffic log must be sent to a central audit server. When logging functions are lost, system processing cannot be shut down because firewall availability is an overriding concern given the role of the firewall in the enterprise. The system must either be configured to log events to an alternative server or queue log records locally. Upon restoration of the connection to the central audit server, action must be taken to synchronize the local log data with the central audit server. If the central audit server uses UDP communications instead of a connection oriented protocol such as TCP, a method for detecting a lost connection must be implemented.
Checks: C-70181r1024017_chk

If using Remote High Speed Logging (recommended): From the BIG-IP GUI: 1. Local Traffic. 2. Pools. 3. Pool List. 4. &lt;Logging Pool Name&gt; 5. Verify that "Enable Request Queueing" is set to "Yes". From the BIG-IP Console, type the following commands: tmsh list ltm pool &lt;Logging Pool Name&gt; queue-on-connection-limit Note: Verify this is enabled. If the BIG-IP appliance is not configured to queue traffic log records locally in the event that communication with the central audit server is lost, this is a finding.

Fix: F-70084r1024870_fix

If using Remote High Speed Logging (recommended): From the BIG-IP GUI: 1. Local Traffic. 2. Pools. 3. Pool List. 4. <Logging Pool Name> 5. Verify that "Enable Request Queueing" is set to "Yes". Note: Configuration must be set to "Advanced" to view this option. From the BIG-IP Console, type the following commands: tmsh modify ltm pool <Logging Pool Name> queue-on-connection-limit enabled tmsh save sys config

b
The F5 BIG-IP appliance must be configured to use TCP when sending log records to the central audit server.
CM-6 - Medium - CCI-000366 - V-266258 - SV-266258r1024873_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-FW-300013
Vuln IDs
  • V-266258
Rule IDs
  • SV-266258r1024873_rule
If the default UDP protocol is used for communication between the hosts and devices to the central log server, then log records that do not reach the log server are not detected as a data loss. The use of TCP to transport log records to the log servers improves delivery reliability.
Checks: C-70182r1024872_chk

From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Log Destinations. 5. &lt;Name&gt;. 6. Verify "Protocol" is set to TCP. From the BIG-IP Console, type the following command(s): tmsh list sys log-config destination remote-high-speed-log &lt;Name&gt; protocol Note: Verify this is set to "tcp". If the BIG-IP appliance is not configured to use TCP when sending log records to the central audit server, this is a finding.

Fix: F-70085r1024021_fix

From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Log Destinations. 5. Click the name of the log destination. 6. Set "Protocol" to TCP. 7. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify sys log-config destination remote-high-speed-log <Name> protocol tcp

b
The F5 BIG-IP appliance must be configured to restrict itself from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
CM-6 - Medium - CCI-000366 - V-266259 - SV-266259r1024876_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-FW-300015
Vuln IDs
  • V-266259
Rule IDs
  • SV-266259r1024876_rule
A compromised host in an enclave can be used by a malicious platform to launch cyber attacks on third parties. This is a common practice in "botnets", which are a collection of compromised computers using malware to attack other computers or networks. Distributed denial-of-service (DDoS) attacks frequently leverage IP source address spoofing to send packets to multiple hosts that in turn will then send return traffic to the hosts with the IP addresses that were forged. This can generate significant amounts of traffic. Therefore, protection measures to counteract IP source address spoofing must be taken. When uRPF is enabled in strict mode, the packet must be received on the interface that the device would use to forward the return packet; thereby mitigating IP source address spoofing. F5 BIG-IP AFM Source checking: When source checking is enabled, the BIG-IP system verifies that the return path for an initial packet is through the same VLAN from which the packet originated. Note that the system only enables source checking if the global setting Auto Last Hop is disabled.
Checks: C-70183r1024874_chk

From the BIG-IP GUI: 1. Network. 2. VLANs. 3. VLAN List. 4. &lt;Name&gt; of internal VLAN. 5. Verify that "Source Check" is enabled. 6. Verify that Auto Last Hop is set to "Disabled". From the BIG-IP Console, type the following command(s): tmsh list net vlan &lt;Name&gt; auto-lasthop tmsh list net vlan &lt;Name&gt; source-checking If the BIG-IP appliance is not configured to disable Auto Last Hop, this is a finding.

Fix: F-70086r1024875_fix

From the BIG-IP GUI: 1. Network. 2. VLANs. 3. VLAN List. 4. <Name> of internal VLAN. 5. Check the box next to "Source Check". 6. Set Auto Last Hop to "Disabled". From the BIG-IP Console, type the following command(s): tmsh modify net vlan <Name> auto-lasthop disabled tmsh list net vlan <Name> source-checking enabled tmsh save sys config

c
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
SC-5 - High - CCI-002385 - V-266260 - SV-266260r1024878_rule
RMF Control
SC-5
Severity
High
CCI
CCI-002385
Version
F5BI-FW-300017
Vuln IDs
  • V-266260
Rule IDs
  • SV-266260r1024878_rule
Not configuring a key boundary security protection device such as the firewall against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack can be obtained on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary. Configure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning. Flood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in denial of service. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host. In an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target’s IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker receives an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker receives an indication that a port in the target device is open, which makes the port vulnerable to attack. In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively. Satisfies: SRG-NET-000362-FW-000028, SRG-NET-000364-FW-000041, SRG-NET-000192-FW-000029, SRG-NET-000193-FW-000030
Checks: C-70184r1024877_chk

From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) depending on the traffic being handled by the BIG-IP and verify the "State" is set to "Mitigate" for all signatures in that family. If the BIG-IP appliance is not configured to block outbound traffic containing denial-of-service DoS attacks, this is a finding.

Fix: F-70087r1024027_fix

From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) one at a time depending on the traffic being handled by the BIG-IP and do the following for each. - Check the box at the top of the list of signatures to select all or, at a minimum, filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning and unknown or out-of-order extension headers. - Set "Set State" to "Mitigate". 5. Click "Commit Changes to System". At a minimum, select filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning. Also, select filters for unknown or out-of-order extension headers. Note: Sites must operationally test or initially use learning mode prior to turning on all of the options in all families to prevent operational impacts, particularly in implementations with large traffic volumes.

c
The F5 BIG-IP appliance must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SC-7 - High - CCI-001109 - V-266261 - SV-266261r1024579_rule
RMF Control
SC-7
Severity
High
CCI
CCI-001109
Version
F5BI-FW-300020
Vuln IDs
  • V-266261
Rule IDs
  • SV-266261r1024579_rule
To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA).
Checks: C-70185r1024029_chk

From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Verify "Virtual Server &amp; Self IP Contexts" is set to "Drop" or "Reject". 6. Verify "Global Context" is set to "Drop" or "Reject". If the BIG-IP appliance is not configured to deny network communications traffic by default and allow network communications traffic by exception, this is a finding.

Fix: F-70088r1024030_fix

From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Set "Virtual Server & Self IP Contexts" to "Drop" or "Reject". 6. Set "Global Context" to "Drop" or "Reject". 7. Update.

a
The F5 BIG-IP appliance must generate an alert that can be forwarded to, at a minimum, the information system security officer (ISSO) and information system security manager (ISSM) when denial-of-service (DoS) incidents are detected.
SI-4 - Low - CCI-002664 - V-266262 - SV-266262r1024580_rule
RMF Control
SI-4
Severity
Low
CCI
CCI-002664
Version
F5BI-FW-300021
Vuln IDs
  • V-266262
Rule IDs
  • SV-266262r1024580_rule
Without an alert, security personnel may be unaware of major detection incidents that require immediate action, and this delay may result in the loss or compromise of information. The firewall generates an alert that notifies designated personnel of the Indicators of Compromise (IOCs), which require real-time alerts. These messages must include a severity level indicator or code as an indicator of the criticality of the incident. These indicators reflect the occurrence of a compromise or a potential compromise. Since these incidents require immediate action, these messages are assigned a critical or level 1 priority/severity, depending on the system's priority schema. CJCSM 6510.01B, "Cyber Incident Handling Program", lists nine Cyber Incident and Reportable Event Categories. DOD has determined that categories identified by CJCSM 6510.01B Major Indicators (category 1, 2, 4, or 7 detection events) will require an alert when an event is detected. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. The firewall must either send the alert to a management console that is actively monitored by authorized personnel or use a messaging capability to send the alert directly to designated personnel.
Checks: C-70186r1024032_chk

From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. DoS Protection tab. 6. Verify the "Publisher" for each DoS type is configured to use a remote log destination (for production environments, use Remote High Speed Logging). From the BIG-IP Console, type the following commands: tmsh list security log profile global-network | grep dos Verify each DoS publisher is configured to use a remote log destination. If the BIG-IP is not configured to generate an alert when DoS incidents are detected, this is a finding.

Fix: F-70089r1024033_fix

From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Check "Enabled" for "Dos Protection". 6. DoS Protection tab. 7. Set the "Publisher" for each DoS type to use a remote log destination (for production environments, use Remote High Speed Logging). 8. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify security log profile global-network dos-network-publisher <publisher> tmsh modify security log profile global-network protocol-dns-dos-publisher <publisher> tmsh modify security log profile global-network protocol-sip-dos-publisher <publisher> tmsh save sys config

b
The F5 BIG-IP appliance must be configured to inspect all inbound and outbound traffic at the application layer.
CM-6 - Medium - CCI-000366 - V-266263 - SV-266263r1024879_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
F5BI-FW-300028
Vuln IDs
  • V-266263
Rule IDs
  • SV-266263r1024879_rule
Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing application-specific message and field length. Inspection provides improved protection against application-based attacks by restricting the types of commands allowed for the applications. Application inspection all enforces conformance against published RFCs. Some applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the firewall. Enabling application inspection for a service that embeds IP addresses, the firewall translates embedded addresses and updates any checksum or other fields that are affected by the translation. Enabling application inspection for a service that uses dynamically assigned ports, the firewall monitors sessions to identify the dynamic port assignments and permits data exchange on these ports for the duration of the specific session.
Checks: C-70187r1024332_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules in the policy do not use packet headers and packet attributes, including source and destination IP addresses and ports to inspect all inbound and outbound traffic at the application layer, this is a finding.

Fix: F-70090r1024333_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports inspect all inbound and outbound traffic at the application layer.

b
The F5 BIG-IP appliance must be configured to filter inbound traffic on all external interfaces.
SC-7 - Medium - CCI-002403 - V-266264 - SV-266264r1024582_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-002403
Version
F5BI-FW-300029
Vuln IDs
  • V-266264
Rule IDs
  • SV-266264r1024582_rule
Unrestricted traffic to the trusted networks may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. Firewall filters control the flow of network traffic, ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated.
Checks: C-70188r1024335_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules in the policy do not filter inbound traffic on all active external interfaces, this is a finding.

Fix: F-70091r1024336_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter inbound traffic on all external interfaces.

b
The F5 BIG-IP appliance must be configured to filter outbound traffic on all internal interfaces.
SC-7 - Medium - CCI-002403 - V-266265 - SV-266265r1024583_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-002403
Version
F5BI-FW-300030
Vuln IDs
  • V-266265
Rule IDs
  • SV-266265r1024583_rule
If outbound communications traffic is not filtered, hostile activity intended to harm other networks or packets from networks destined to unauthorized networks may not be detected and prevented. Access control policies and access control lists implemented on devices, such as firewalls, that control the flow of network traffic ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the internet) must be kept separated. This requirement addresses the binding of the egress filter to the interface/zone rather than the content of the egress filter.
Checks: C-70189r1024338_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules in the policy do not filter outbound traffic on all internal interface, this is a finding.

Fix: F-70092r1024339_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter outbound traffic on all internal interfaces.

b
The F5 BIG-IP appliance must be configured to block all outbound management traffic.
SC-7 - Medium - CCI-002403 - V-266266 - SV-266266r1024584_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-002403
Version
F5BI-FW-300031
Vuln IDs
  • V-266266
Rule IDs
  • SV-266266r1024584_rule
The management network must still have its own subnet to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.
Checks: C-70190r1024341_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules in the policy do not block all outbound management traffic, this is a finding.

Fix: F-70093r1024342_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter to block all outbound management traffic.

b
The BIG-IP appliance perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
SC-7 - Medium - CCI-001097 - V-266267 - SV-266267r1024585_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-001097
Version
F5BI-FW-300033
Vuln IDs
  • V-266267
Rule IDs
  • SV-266267r1024585_rule
The enclave's internal network contains the servers where mission-critical data and applications reside. Malicious traffic can enter from an external boundary or originate from a compromised host internally. Vulnerability assessments must be reviewed by the system administrator (SA) and protocols must be approved by the IA staff before entering the enclave. Firewall filters (e.g., rules, access control lists [ACLs], screens, and policies) are the first line of defense in a layered security approach. They permit authorized packets and deny unauthorized packets based on port or service type. They enhance the posture of the network by not allowing packets to even reach a potential target within the security domain. The filters provided are highly susceptible ports and services that must be blocked or limited as much as possible without adversely affecting customer requirements. Auditing packets attempting to penetrate the network but stopped by the firewall filters will allow network administrators to broaden their protective ring and more tightly define the scope of operation. If the perimeter is in a Deny-by-Default posture and what is allowed through the filter is in accordance with the PPSM CAL and VAs for the enclave, and if the permit rule is explicitly defined with explicit ports and protocols allowed, then all requirements related to the database being blocked would be satisfied.
Checks: C-70191r1024047_chk

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. &lt;Policy Name&gt; If configured rules are not configured to only allow inbound traffic in accordance with the PPSM CAL, this is a finding.

Fix: F-70094r1024048_fix

From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports to only allow inbound traffic in accordance with the PPSM CAL.