STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS Firewall Security Technical Implementation Guide

V-266266

CAT II (Medium)

The F5 BIG-IP appliance must be configured to block all outbound management traffic.

Rule ID

SV-266266r1024584_rule

STIG

F5 BIG-IP TMOS Firewall Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002403

Discussion

The management network must still have its own subnet to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.

Check Content

From the BIG-IP GUI:
1. Security.
2. Network Firewall.
3. Policies.
4. <Policy Name>

If configured rules in the policy do not block all outbound management traffic, this is a finding.

Fix Text

From the BIG-IP GUI:
1. Security.
2. Network Firewall.
3. Policies.
4. <Policy Name>
5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter to block all outbound management traffic.