Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Access Control Lists are assigned in an "Advanced Resource Assign" object in the Visual Policy Editor. If the VPN is terminated directly on the BIG-IP appliance configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, and there is no Access Control List assigned in the Access Profile, this is a finding. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If the BIG-IP appliance filters traffic from the VPN access points and there are no rules configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, this is a finding.
If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Add an "Advanced Resource Assign" object in the Visual Policy Editor and add an Access Control List in accordance with the SSP and site configuration documentation. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Add rules to filter VPN traffic. 6. Click "Commit Changes to System".
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not use packet headers and packet attributes, including source and destination IP addresses and ports, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports in accordance with the SSP and site configuration documentation.
From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Network Firewall tab. 6. Select a Log Publisher to use (for production environments, use Remote High Speed Logging). 7. Verify at least the "Accept", "Drop", and "Reject" Log Rule Matches boxes are checked, along with any other settings to be enabled. From the BIG-IP Console, type the following commands: tmsh list security log profile global-network Note: Verify the log-acl-match-accept, log-acl-match-drop, and log-acl-match-reject settings are enabled. If the BIG-IP is not configured to generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Network Firewall tab. 6. Select a Log Publisher to use (for production environments, use Remote High Speed Logging). 7. Check the "Accept", "Drop", and "Reject" Log Rule Matches boxes are checked, along with any other settings to be enabled. 8. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify security log profile global-network network modify { all { filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-match-reject enabled } publisher <publisher name> } } tmsh save sys config Refer to vendor documentation for more information.
If using Remote High Speed Logging (recommended): From the BIG-IP GUI: 1. Local Traffic. 2. Pools. 3. Pool List. 4. <Logging Pool Name> 5. Verify that "Enable Request Queueing" is set to "Yes". From the BIG-IP Console, type the following commands: tmsh list ltm pool <Logging Pool Name> queue-on-connection-limit Note: Verify this is enabled. If the BIG-IP appliance is not configured to queue traffic log records locally in the event that communication with the central audit server is lost, this is a finding.
If using Remote High Speed Logging (recommended): From the BIG-IP GUI: 1. Local Traffic. 2. Pools. 3. Pool List. 4. <Logging Pool Name> 5. Verify that "Enable Request Queueing" is set to "Yes". Note: Configuration must be set to "Advanced" to view this option. From the BIG-IP Console, type the following commands: tmsh modify ltm pool <Logging Pool Name> queue-on-connection-limit enabled tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Log Destinations. 5. <Name>. 6. Verify "Protocol" is set to TCP. From the BIG-IP Console, type the following command(s): tmsh list sys log-config destination remote-high-speed-log <Name> protocol Note: Verify this is set to "tcp". If the BIG-IP appliance is not configured to use TCP when sending log records to the central audit server, this is a finding.
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Log Destinations. 5. Click the name of the log destination. 6. Set "Protocol" to TCP. 7. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify sys log-config destination remote-high-speed-log <Name> protocol tcp
From the BIG-IP GUI: 1. Network. 2. VLANs. 3. VLAN List. 4. <Name> of internal VLAN. 5. Verify that "Source Check" is enabled. 6. Verify that Auto Last Hop is set to "Disabled". From the BIG-IP Console, type the following command(s): tmsh list net vlan <Name> auto-lasthop tmsh list net vlan <Name> source-checking If the BIG-IP appliance is not configured to disable Auto Last Hop, this is a finding.
From the BIG-IP GUI: 1. Network. 2. VLANs. 3. VLAN List. 4. <Name> of internal VLAN. 5. Check the box next to "Source Check". 6. Set Auto Last Hop to "Disabled". From the BIG-IP Console, type the following command(s): tmsh modify net vlan <Name> auto-lasthop disabled tmsh list net vlan <Name> source-checking enabled tmsh save sys config
From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) depending on the traffic being handled by the BIG-IP and verify the "State" is set to "Mitigate" for all signatures in that family. If the BIG-IP appliance is not configured to block outbound traffic containing denial-of-service DoS attacks, this is a finding.
From the BIG-IP GUI: 1. Security. 2. DoS Protection. 3. Device Protection. 4. Expand each of the applicable families (Network, DNS, SIP) one at a time depending on the traffic being handled by the BIG-IP and do the following for each. - Check the box at the top of the list of signatures to select all or, at a minimum, filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning and unknown or out-of-order extension headers. - Set "Set State" to "Mitigate". 5. Click "Commit Changes to System". At a minimum, select filters that prevent or limit the effects of all types of commonly known DoS attacks, including flooding, packet sweeps, unauthorized port scanning. Also, select filters for unknown or out-of-order extension headers. Note: Sites must operationally test or initially use learning mode prior to turning on all of the options in all families to prevent operational impacts, particularly in implementations with large traffic volumes.
From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Verify "Virtual Server & Self IP Contexts" is set to "Drop" or "Reject". 6. Verify "Global Context" is set to "Drop" or "Reject". If the BIG-IP appliance is not configured to deny network communications traffic by default and allow network communications traffic by exception, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Set "Virtual Server & Self IP Contexts" to "Drop" or "Reject". 6. Set "Global Context" to "Drop" or "Reject". 7. Update.
From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. DoS Protection tab. 6. Verify the "Publisher" for each DoS type is configured to use a remote log destination (for production environments, use Remote High Speed Logging). From the BIG-IP Console, type the following commands: tmsh list security log profile global-network | grep dos Verify each DoS publisher is configured to use a remote log destination. If the BIG-IP is not configured to generate an alert when DoS incidents are detected, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Event Logs. 3. Logging Profiles. 4. Edit the global-network profile. 5. Check "Enabled" for "Dos Protection". 6. DoS Protection tab. 7. Set the "Publisher" for each DoS type to use a remote log destination (for production environments, use Remote High Speed Logging). 8. Click "Update". From the BIG-IP Console, type the following commands: tmsh modify security log profile global-network dos-network-publisher <publisher> tmsh modify security log profile global-network protocol-dns-dos-publisher <publisher> tmsh modify security log profile global-network protocol-sip-dos-publisher <publisher> tmsh save sys config
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not use packet headers and packet attributes, including source and destination IP addresses and ports to inspect all inbound and outbound traffic at the application layer, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports inspect all inbound and outbound traffic at the application layer.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not filter inbound traffic on all active external interfaces, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter inbound traffic on all external interfaces.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not filter outbound traffic on all internal interface, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter outbound traffic on all internal interfaces.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not block all outbound management traffic, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter to block all outbound management traffic.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules are not configured to only allow inbound traffic in accordance with the PPSM CAL, this is a finding.
From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to use packet headers and packet attributes, including source and destination IP addresses and ports to only allow inbound traffic in accordance with the PPSM CAL.