STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated just now
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

V-260053

CAT II (Medium)

The F5 BIG-IP appliance must not use the On-Demand Cert Auth VPE agent as part of the APM Policy Profiles.

Rule ID

SV-260053r947421_rule

STIG

F5 BIG-IP Access Policy Manager Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001184

Discussion

By requiring mutual authentication before any communication, it becomes significantly challenging for attackers to impersonate a client or server and exploit vulnerabilities. Furthermore, the encryption of all data transmitted between the client and server ensures that even if an attacker intercepts the data, it remains unintelligible without the correct keys. To ensure the use of the mutual TLS (mTLS) for session authentication, the On-Demand Cert Auth VPE agent should not be used. Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. However, if On-Demand is configured, the client SSL profile skips the initial SSL handshake, and On-Demand Cert Auth action can renegotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. Setting ODCA to "require" the client cert means the client cannot get any further in the APM VPE without providing a valid certificate. "Request" would ask the client for a certificate, but the client could still continue if they did not provide one. Thus, the Client Certificate should be set to "require" in the client SSL profile (F5BI-LT-000213) since removing ODCA from the VPE alone will result in the client never being prompted for a certificate. Within the Virtual Policy Editor (VPE) of the relevant Access Profile, do not use the On-Demand Cert Auth VPE agent. Configure only the Client Certification Inspection VPE Agent. This adjustment directs the BIG-IP to scrutinize the Client Certificate during the mTLS handshake process and extract the Certificate's details into APM session variables.

Check Content

Verify removal of the On-Demand Cert Auth VPE agent.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Verify the On-Demand Cert Auth agent is not configured in any part of the profile.

If the On-Demand Cert Auth agent is used in any Access Policy Profile, this is a finding.

Fix Text

Remove On-Demand Cert.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Remove any "On-Demand Cert Auth" agents in the profile.
6. Add a "Client Cert Inspection" object in place of the previous "On Demand Cert Auth" agent.
7. Click "Apply Access Policy".