The F5 BIG-IP appliance providing user access control intermediary services must limit the number of concurrent sessions to one or an organization-defined number for each access profile.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266137	SRG-NET-000053-ALG-000001	F5BI-AP-300001	SV-266137r1024833_rule	2024-09-20	1

Description
The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks. False positives may result from this setting in networks where users are behind a shared proxy. Sites must conduct operational testing to determine if there are adverse operational impacts. View Log reports to identify recurring IP sources within the user community. Max In Progress Sessions per Client IP represents the maximum number of sessions that can be in progress for a client IP address. When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, increase the value accordingly.

Description

The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks. False positives may result from this setting in networks where users are behind a shared proxy. Sites must conduct operational testing to determine if there are adverse operational impacts. View Log reports to identify recurring IP sources within the user community. Max In Progress Sessions per Client IP represents the maximum number of sessions that can be in progress for a client IP address. When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, increase the value accordingly.

ℹ️ Check
If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Name of the Access profile. 5. Under "Settings", verify "Max Sessions per User" is set to "1" or to an organization-defined number. If the BIG-IP appliance is not configured to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.

ℹ️ Check

If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Name of the Access profile. 5. Under "Settings", verify "Max Sessions per User" is set to "1" or to an organization-defined number. If the BIG-IP appliance is not configured to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.

✔️ Fix
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Name of the Access profile. 5. Under "Settings", set "Max Sessions per User" to "1" or to an organization-defined number. 6. Update.