The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266280 | F5BI-VN-300009 | SV-266280r1024917_rule | High |
| Description |
| Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. |
| STIG | Date |
| F5 BIG-IP TMOS VPN Security Technical Implementation Guide | 2024-09-09 |
Details
| Check Text (C-70204r1024086_chk) |
| From the BIG-IP GUI: 1. Network. 2. IPsec. 3. IPsec Policies. 4. Click on IPsec Policy for site to site IPsec. 5. Verify that "ESP" is selected in the IPsec Protocol section. If the BIG-IP is not configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies, this is a finding. |
| Fix Text (F-70107r1024916_fix) |
| From the BIG-IP GUI: 1. Network. 2. IPsec. 3. IPsec Policies. 4. Click on IPsec Policy for site to site IPsec. 5. Select "ESP" in the IPsec Protocol section. 6. Click "Update". |