STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 7 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

F5 BIG-IP TMOS ALG Security Technical Implementation Guide

Version

V1R2

Release Date

Jun 9, 2025

SCAP Benchmark ID

F5_BIG-IP_TMOS_ALG_STIG

Total Checks

37

Tags

other
CAT I: 9CAT II: 23CAT III: 5

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (37)

V-266137MEDIUMThe F5 BIG-IP appliance providing user access control intermediary services must limit the number of concurrent sessions to one or an organization-defined number for each access profile.V-266138MEDIUMThe F5 BIG-IP appliance providing intermediary services for remote access communications traffic must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.V-266139HIGHThe F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.V-266140MEDIUMTo protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.V-266141MEDIUMTo protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.V-266142MEDIUMTo protect against data mining, the F5 BIG-IP appliance providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.V-266143HIGHThe F5 BIG-IP appliance providing user access control intermediary services must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.V-266144HIGHThe F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.V-266145MEDIUMThe F5 BIG-IP appliance providing user access control intermediary services must display the Standard Mandatory DOD-approved Notice and Consent Banner before granting access to the network.V-266146MEDIUMThe F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.V-266147MEDIUMThe F5 BIG-IP appliance that provides intermediary services for SMTP must inspect inbound and outbound SMTP and Extended SMTP communications traffic for protocol compliance and protocol anomalies.V-266148MEDIUMThe F5 BIG-IP appliance that intermediary services for FTP must inspect inbound and outbound FTP communications traffic for protocol compliance and protocol anomalies.V-266149MEDIUMThe F5 BIG-IP appliance that provides intermediary services for HTTP must inspect inbound and outbound HTTP traffic for protocol compliance and protocol anomalies.V-266150HIGHThe F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.V-266152HIGHThe F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).V-266153HIGHThe F5 BIG-IP appliance must configure certification path validation to ensure revoked machine credentials are prohibited from establishing an allowed session.V-266154MEDIUMThe F5 BIG-IP appliance providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-266155HIGHThe F5 BIG-IP appliance must terminate all network connections associated with a communications session at the end of the session or after 15 minutes of inactivity.V-266156MEDIUMThe F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.V-266157MEDIUMThe F5 BIG-IP appliance providing content filtering must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing pattern recognition pre-processors.V-266158MEDIUMThe F5 BIG-IP appliance must check the validity of all data inputs except those specifically identified by the organization.V-266159MEDIUMThe F5 BIG-IP appliance providing content filtering must automatically update malicious code protection mechanisms.V-266160MEDIUMThe F5 BIG-IP appliance providing content filtering must detect use of network services that have not been authorized or approved by the information system security manager (ISSM) and information system security officer (ISSO), at a minimum.V-266161MEDIUMThe F5 BIG-IP appliance providing content filtering must generate a log record when unauthorized network services are detected.V-266162LOWWhen the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.V-266163LOWThe F5 BIG-IP appliance must be configured to enable the secure cookie flag.V-266164LOWThe F5 BIG-IP appliance must be configured to disable the persistent cookie flag.V-266165HIGHThe F5 BIG-IP appliance must configure certificate path validation to ensure revoked user credentials are prohibited from establishing an allowed session.V-266166MEDIUMThe F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.V-266167MEDIUMThe F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.V-266168LOWThe F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.V-266170HIGHThe F5 BIG-IP appliance must be configured to use cryptographic algorithms approved by NSA to protect NSS for remote access to a classified network.V-266171MEDIUMThe F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.V-266172MEDIUMThe F5 BIG-IP appliance providing remote access intermediary services must disable split-tunneling for remote clients' VPNs.V-266173MEDIUMThe F5 BIG-IP appliance providing remote access intermediary services must be configured to route sessions to an IDPS for inspection.V-266174MEDIUMThe VPN Gateway must use Always On VPN connections for remote computing.V-266175LOWThe F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or an organizational-defined number.