U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

F5 BIG-IP TMOS STIG Y24M09 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
F5 BIG-IP Access Policy Manager (APM) cpe:/a:f5:big-ip_access_policy_manager:- (View CVEs)

Checklist Highlights

Checklist Name:
F5 BIG-IP TMOS STIG
Checklist ID:
1268
Version:
Y24M09
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
12/23/2024

Checklist Summary:

The F5 BIG-IP Security Technical Implementation Guide (STIG) provides security policy and technical configuration requirements for deploying the appliance in the Department of Defense (DOD) networking environment. The BIG-IP appliance provides integrated application delivery services that work together on the same hardware. These services include load balancing, application delivery, SSL off-loading, access control, firewall, virtual private network (VPN), and name resolution services. The F5 BIG-IP STIG includes the following: • BIG-IP Network Device Management (NDM) STIG. • BIG-IP Advanced Firewall Manager (AFM) STIG. • BIG-IP Application Layer Gateway (ALG) STIG. • BIG-IP Virtual Private Network (VPN) STIG • BIG-IP Domain Name System (DNS) STIG. The core technology for the BIG-IP appliance is the Traffic Management Operating System (TMOS) and logical software modules run within TMOS. Modules within the scope of this STIG include the Local Traffic Manager (LTM), Access Policy Manager (APM), AFM, Advanced Web Application Firewall (AWAF), and DNS. The BIG-IP LTM provides traffic management for rapid deployment, optimization, load balancing, and off-loading of sessions between users and application servers. This module is the core for all BIG-IP deployments, and all other modules are used to define profiles and policies that are applied to virtual servers defined in the LTM. The BIG-IP APM protects public-facing application by providing secure, policy-based, and context-aware access control. It centralizes and simplifies authentication, authorization, and accounting (AAA) management and covers the Authentication Gateway Service (AGS) requirements to support Federated Single Sign-On (SSO). The BIG-IP AFM is a stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network. The STIG security requirements ensure firewall policies are implemented to monitor and secure the applications they are configured to protect. Depending on the organization’s needs, users may prefer to put all active rules in a single policy applied at the global context or apply firewall policies for specific virtual servers. The latter allows for application-specific policies to be developed and applied only where required. When processing policies and rules on a virtual server, only those specific to the application are processed. The BIG-IP AWAF is a web application firewall that protects critical applications and their data by defending against application-specific attacks that bypass conventional firewalls. It protects applications with comprehensive, policy-based web application security that blocks attacks and scales to ensure performance.

Checklist Role:

  • Multi-Functional Peripherals

Known Issues:

Not provided.

Target Audience:

Parties within the DOD and federal government’s computing environments can obtain the applicable STIG from the DOD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DOD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Initial Submission as Candidate - 12/30/2024
Changed Status to Final - 03/24/2025

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 03/24/2025