TickYouOff
Sign in
Back
🔒

F5 BIG-IP TMOS STIG Compliance Checklist

Hard 20 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps system and security administrators implement the F5 BIG-IP TMOS STIG requirements for DoD and federal environments. It covers hardening, module configuration (LTM, APM, AFM, AWAF, DNS), logging, and compliance documentation to bring BIG-IP appliances into STIG alignment.

Source: https://ncp.nist.gov/checklist/1268

Progress
0 / 20
  1. Update TMOS to the latest STIG-approved version — Apply vendor and STIG recommended patches and hotfixes.
  2. Verify installed modules match STIG scope (LTM, APM, AFM, AWAF, DNS) — Confirm only required modules are installed and licensed.
  3. Inventory and review virtual servers and applied policies — List virtual servers, associated profiles, and policies for each application.
  4. Harden management interfaces — Secure access to management plane and services.
  5. Restrict management access to trusted networks — Use management VRF, ACLs, or trusted IP lists.
  6. Enable HTTPS and SSH with strong cipher suites — Disable weak ciphers and enforce modern TLS versions.
  7. Disable unused management services (TELNET, FTP, SNMP v1) — Turn off legacy protocols and unnecessary daemons.
  8. Change default admin account and enforce least privilege — Remove or rename default accounts and assign minimal roles.
  9. Enable multi-factor authentication for administrative access — Require MFA for GUI, SSH, and API administrators.
  10. Configure role-based access control (RBAC) and audit accounts — Define roles, separate duties, and enable account auditing.
  11. Enforce TLS profiles and disable weak ciphers on virtual servers — Apply approved TLS profiles to all client and server SSL objects.
  12. Configure secure SSL certificate management — Use valid CAs, track expirations, and protect private keys.
  13. Apply AFM firewall policies to relevant virtual servers — Attach application-specific AFM policies where required.
  14. Implement AWAF application security policies and tuning — Enable protection rules, tune false positives, and test.
  15. Enable and centralize logging and syslog forwarding — Forward audit, system, and WAF logs to a SIEM or syslog server.
  16. Configure monitoring and alerting for security events — Create alerts for admin changes, failures, and critical logs.
  17. Perform vulnerability scan and remediate CVEs — Scan device, review CVEs, and apply vendor mitigations.
  18. Backup configuration and save a STIG compliance snapshot — Export configs and archive current state before/after changes.
  19. Document STIG deviations, exceptions, and obtain approvals — Record justifications and authorized waivers for noncompliance.
  20. Schedule regular STIG compliance reviews and updates — Plan periodic re-audits and track STIG version changes.
Sign in to save
📝 My Notes