The F5 BIG-IP appliance must deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266261 | F5BI-FW-300020 | SV-266261r1024579_rule | High |
| Description |
| To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such rulesets prevent many malicious exploits or accidental leakage by restricting the traffic to only known sources and only those ports, protocols, or services that are permitted and operationally necessary. As a managed boundary interface, the firewall must block all inbound and outbound network traffic unless a filter is installed to explicitly allow it. The allow filters must comply with the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessment (VA). |
| STIG | Date |
| F5 BIG-IP TMOS Firewall Security Technical Implementation Guide | 2024-09-09 |
Details
| Check Text (C-70185r1024029_chk) |
| From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Verify "Virtual Server & Self IP Contexts" is set to "Drop" or "Reject". 6. Verify "Global Context" is set to "Drop" or "Reject". If the BIG-IP appliance is not configured to deny network communications traffic by default and allow network communications traffic by exception, this is a finding. |
| Fix Text (F-70088r1024030_fix) |
| From the BIG-IP GUI: 1. Security. 2. Options. 3. Network Firewall. 4. Firewall Options. 5. Set "Virtual Server & Self IP Contexts" to "Drop" or "Reject". 6. Set "Global Context" to "Drop" or "Reject". 7. Update. |