STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

F5 BIG-IP TMOS Firewall Security Technical Implementation Guide

Version

V1R1

Release Date

Sep 9, 2024

SCAP Benchmark ID

F5_BIG-IP_TMOS_FW_STIG

Total Checks

14

Tags

network
CAT I: 3CAT II: 9CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (14)

V-266254MEDIUMThe F5 BIG-IP appliance that filters traffic from the VPN access points must be configured with organization-defined filtering rules that apply to the monitoring of remote access traffic.V-266255HIGHThe F5 BIG-IP appliance must be configured to use filters that use packet headers and packet attributes, including source and destination IP addresses and ports, to prevent the flow of unauthorized or suspicious traffic between interconnected networks with different security policies, including perimeter firewalls and server VLANs.V-266256MEDIUMThe F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.V-266257LOWIn the event that communication with the central audit server is lost, the F5 BIG-IP appliance must continue to queue traffic log records locally.V-266258MEDIUMThe F5 BIG-IP appliance must be configured to use TCP when sending log records to the central audit server.V-266259MEDIUMThe F5 BIG-IP appliance must be configured to restrict itself from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).V-266260HIGHThe F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.V-266261HIGHThe F5 BIG-IP appliance must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).V-266262LOWThe F5 BIG-IP appliance must generate an alert that can be forwarded to, at a minimum, the information system security officer (ISSO) and information system security manager (ISSM) when denial-of-service (DoS) incidents are detected.V-266263MEDIUMThe F5 BIG-IP appliance must be configured to inspect all inbound and outbound traffic at the application layer.V-266264MEDIUMThe F5 BIG-IP appliance must be configured to filter inbound traffic on all external interfaces.V-266265MEDIUMThe F5 BIG-IP appliance must be configured to filter outbound traffic on all internal interfaces.V-266266MEDIUMThe F5 BIG-IP appliance must be configured to block all outbound management traffic.V-266267MEDIUMThe BIG-IP appliance perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.