STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

A10 Networks ADC ALG Security Technical Implementation Guide

Version

V2R2

Benchmark ID

A10_Networks_ADC_ALG_STIG

Total Checks

34

Tags

network
CAT I: 4CAT II: 26CAT III: 4

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (34)

V-237032MEDIUMThe A10 Networks ADC, when used for TLS encryption and decryption, must be configured to comply with the required TLS settings in NIST SP 800-52.V-237033LOWThe A10 Networks ADC, when used to load balance web applications, must enable external logging for accessing Web Application Firewall data event messages.V-237034LOWThe A10 Networks ADC must send an alert to, at a minimum, the ISSO and SCA when connectivity to the Syslog servers is lost.V-237035MEDIUMThe A10 Networks ADC must not have unnecessary scripts installed.V-237036MEDIUMThe A10 Networks ADC must use DNS Proxy mode when Global Server Load Balancing is used.V-237037MEDIUMThe A10 Networks ADC must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.V-237038MEDIUMThe A10 Networks ADC when used for TLS encryption and decryption must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation.V-237039MEDIUMThe A10 Networks ADC must not have any unnecessary or unapproved virtual servers configured.V-237040MEDIUMThe A10 Networks ADC, when used to load balance web applications, must strip HTTP response headers.V-237041MEDIUMThe A10 Networks ADC, when used to load balance web applications, must replace response codes.V-237042MEDIUMTo protect against data mining, the A10 Networks ADC must detect and prevent SQL and other code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-237043MEDIUMTo protect against data mining, the A10 Networks ADC must detect and prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-237044MEDIUMTo protect against data mining, the A10 Networks ADC providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-237045MEDIUMTo protect against data mining, the A10 Networks ADC providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-237046MEDIUMTo protect against data mining, the A10 Networks ADC providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-237047MEDIUMTo protect against data mining, the A10 Networks ADC providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-237048MEDIUMThe A10 Networks ADC being used for TLS encryption and decryption using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certificate Authorities (CAs) for the establishment of protected sessions.V-237049HIGHThe A10 Networks ADC must protect against TCP and UDP Denial of Service (DoS) attacks by employing Source-IP based connection-rate limiting.V-237050MEDIUMThe A10 Networks ADC must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks.V-237051MEDIUMThe A10 Networks ADC must enable DDoS filters.V-237052MEDIUMThe A10 Networks ADC, when used to load balance web applications, must examine incoming user requests against the URI White Lists.V-237053LOWThe A10 Networks ADC, when used to load balance web applications, must enable external logging for WAF data event messages.V-237054MEDIUMThe A10 Networks ADC must enable logging for packet anomaly events.V-237055MEDIUMThe A10 Networks ADC must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected.V-237056MEDIUMThe A10 Networks ADC must enable logging of Denial of Service (DoS) attacks.V-237057MEDIUMThe A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.V-237058MEDIUMThe A10 Networks ADC must reveal error messages only to authorized individuals (ISSO, ISSM, and SA).V-237059LOWThe A10 Networks ADC must, at a minimum, off-load audit log records onto a centralized log server.V-237060MEDIUMThe A10 Networks ADC, when used for load balancing web servers, must deploy the WAF in active mode.V-237061MEDIUMIf the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.V-237062HIGHThe A10 Networks ADC must protect against ICMP-based Denial of Service (DoS) attacks by employing ICMP Rate Limiting.V-237063MEDIUMThe A10 Networks ADC must protect against TCP SYN floods by using TCP SYN Cookies.V-237064HIGHThe A10 Networks ADC must be a FIPS-compliant version.V-264425HIGHThe A10 Networks ALG must be using a version supported by the vendor.