The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations.

From F5 BIG-IP Advanced Firewall Manager 11.x Security Technical Implementation Guide

Part of SRG-NET-000364-ALG-000122

Associated with: CCI-002403

SV-74355r1_rule The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations.

Vulnerability discussion

Unrestricted traffic may contain malicious traffic that poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.Access control policies and access control lists implemented on devices that control the flow of network traffic (e.g., application-level firewalls and Web content filters) ensure the flow of traffic is only allowed from authorized sources to authorized destinations. Networks with different levels of trust (e.g., the Internet or CDS) must be kept separate.

Check content

If the BIG-IP AFM module is not used to support user access control intermediary services for virtual servers, this is not applicable. Verify the BIG-IP AFM module is configured to only allow incoming communications from authorized sources routed to authorized destinations. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select the applicable Virtual Servers(s) from the list to verify. Navigate to the Security >> Policies tab. Verify that "Network Firewall" is assigned a local Network Firewall Policy. Verify configuration of the identified Network Firewall policy: Navigate to the BIG-IP System manager >> Security >> Network Firewall >> Active Rules. Select the Network Firewall policy that was assigned to the Virtual Server. Review the configuration of the "Protocol", "Source", "Destination", and "Action" sections at a minimum to ensure that the policy is only allowing incoming communications from authorized sources enroute to authorized destinations. If the BIG-IP AFM module is not configured to only allow incoming communications from unauthorized sources routed to unauthorized destinations, this is a finding.

Fix text

Configure the BIG-IP AFM module to only allow incoming communications from authorized sources routed to authorized destinations.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer