The F5 BIG-IP appliance must be configured to block all outbound management traffic.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266266 | F5BI-FW-300031 | SV-266266r1024584_rule | Medium |
| Description |
| The management network must still have its own subnet to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment. |
| STIG | Date |
| F5 BIG-IP TMOS Firewall Security Technical Implementation Guide | 2024-09-09 |
Details
| Check Text (C-70190r1024341_chk) |
| From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If configured rules in the policy do not block all outbound management traffic, this is a finding. |
| Fix Text (F-70093r1024342_fix) |
| From the BIG-IP GUI: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Configure rules to using packet headers and packet attributes, including source and destination IP addresses and ports to filter to block all outbound management traffic. |