STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS VPN Security Technical Implementation Guide

V-266277

CAT I (High)

The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.

Rule ID

SV-266277r1024911_rule

STIG

F5 BIG-IP TMOS VPN Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000068

Discussion

NIST cryptographic algorithms approved by NSA to protect NSS. Based on an analysis of the impact of quantum computing, cryptographic algorithms specified by CNSSP-15 and approved for use in products in the CSfC program, the approved algorithms have been changed to more stringent protocols configure with increased bit sizes and other secure characteristics to protect against quantum computing threats. The Commercial National Security Algorithm Suite (CNSA Suite) replaces Suite B.

Check Content

From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the IKE Peer Name.
5. In "IKE Phase 1 Algorithms", verify "MODP4096" or higher is selected for "Perfect Forward Secrecy".

If the BIG-IP appliance is not configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1, this is a finding.

Fix Text

From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IKE Peers.
4. Click on the IKE Peer Name.
5. In "IKE Phase 1 Algorithms", select "MODP4096" or higher for "Perfect Forward Secrecy".
6. Click "Update".