STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to F5 BIG-IP TMOS ALG Security Technical Implementation Guide

V-266164

CAT III (Low)

The F5 BIG-IP appliance must be configured to disable the persistent cookie flag.

Rule ID

SV-266164r1024395_rule

STIG

F5 BIG-IP TMOS ALG Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001664

Discussion

For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), BIG-IP APM cookies cannot be set as Persistent. This is by design since cookies are stored locally on the client's hard disk, and thus could be exposed to unauthorized external access. For some deployments of the BIG-IP APM system, cookie persistence may be required. When selecting cookie persistence, persistence is hard coded at 60 seconds.

Check Content

If the Access Profile is used for applications that require cookie persistence, then this is not a finding.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the access profile name.
5. SSO/Auth Domains tab.
6. Under Cookie Options, verify "Persistent" is disabled.

If the F5 Big IP appliance APM Policy has the Persistent cookies flag enabled, this is a finding.

Fix Text

Note: Testing must be performed prior to implementation to prevent operational impact. This setting may break access to certain applications that require cookie persistence.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the access profile name.
5. SSO/Auth Domains tab.
6. Under Cookie Options, uncheck "Persistent".
7. Click "Update".
8. Click "Apply Access Policy".