The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or an organizational-defined number.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-266175	SRG-NET-000053-ALG-000001	F5BI-AP-300164	SV-266175r1024855_rule	2024-09-20	1

Description
The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks. This setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, narrowing the number of in progress sessions may in adverse impacts on legitimate connections. Thus, sites must test this setting within their network prior to implementing to determine the minimum acceptable number. This should not remain at the very high default value and should not be excessively high. Document the organizational value.

Description

The "Max In Progress Sessions Per Client IP" setting in an APM Access Profile is a security configuration that limits the number of simultaneous sessions that can be initiated from a single IP address. This is particularly helpful in preventing a session flood, where a hacker might attempt to overwhelm the system by initiating many sessions from a single source. By capping the number of sessions per IP, this setting can help maintain the system's stability and integrity while also providing a layer of protection against such potential attacks. This setting has been recommended by F5 as a defense-in-depth measure. However, in some networks, narrowing the number of in progress sessions may in adverse impacts on legitimate connections. Thus, sites must test this setting within their network prior to implementing to determine the minimum acceptable number. This should not remain at the very high default value and should not be excessively high. Document the organizational value.

ℹ️ Check
Note: Setting must be tested to determine if a number greater than 10 is operationally necessary. Ten is the minimum but may have operational impacts. Set to the minimum that is possible without adverse impacts, document the setting and the operational testing. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, verify "Max In Progress Sessions per Client IP" is set to 10 or an organization-defined number. If the F5 BIG-IP APM access policy is not configured to set a "Max In Progress Sessions per Client IP" value to 10 or an organization-defined number, this is a finding.

ℹ️ Check

Note: Setting must be tested to determine if a number greater than 10 is operationally necessary. Ten is the minimum but may have operational impacts. Set to the minimum that is possible without adverse impacts, document the setting and the operational testing. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, verify "Max In Progress Sessions per Client IP" is set to 10 or an organization-defined number. If the F5 BIG-IP APM access policy is not configured to set a "Max In Progress Sessions per Client IP" value to 10 or an organization-defined number, this is a finding.

✔️ Fix
From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, set "Max In Progress Sessions per Client IP" to 10 or an organization-defined number. Note: If the setting is grayed out, check the box to the right of the setting and then update it. If the setting is not set to 10, verify the operational reason is documented and approved by the AO. 6. Click "Update". 7. Click "Apply Access Policy".

✔️ Fix

From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. In the "Settings" section, set "Max In Progress Sessions per Client IP" to 10 or an organization-defined number. Note: If the setting is grayed out, check the box to the right of the setting and then update it. If the setting is not set to 10, verify the operational reason is documented and approved by the AO. 6. Click "Update". 7. Click "Apply Access Policy".