The F5 BIG-IP appliance that filters traffic from the VPN access points must be configured with organization-defined filtering rules that apply to the monitoring of remote access traffic.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266254	SRG-NET-000061-FW-000001	F5BI-FW-300001	SV-266254r1024572_rule	2024-09-09	1

Description
Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

Description

Remote access devices (such as those providing remote access to network devices and information systems) that lack automated capabilities increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities from a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).

ℹ️ Check
If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Access Control Lists are assigned in an "Advanced Resource Assign" object in the Visual Policy Editor. If the VPN is terminated directly on the BIG-IP appliance configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, and there is no Access Control List assigned in the Access Profile, this is a finding. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If the BIG-IP appliance filters traffic from the VPN access points and there are no rules configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, this is a finding.

ℹ️ Check

If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Access Control Lists are assigned in an "Advanced Resource Assign" object in the Visual Policy Editor. If the VPN is terminated directly on the BIG-IP appliance configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, and there is no Access Control List assigned in the Access Profile, this is a finding. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> If the BIG-IP appliance filters traffic from the VPN access points and there are no rules configured with organization-defined filtering rules that apply to the monitoring of remote access traffic, this is a finding.

✔️ Fix
If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Add an "Advanced Resource Assign" object in the Visual Policy Editor and add an Access Control List in accordance with the SSP and site configuration documentation. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Add rules to filter VPN traffic. 6. Click "Commit Changes to System".

✔️ Fix

If the VPN is terminated directly on the BIG-IP, an Access Control List can be used to filter remote VPN traffic. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" on the VPN profile. 5. Add an "Advanced Resource Assign" object in the Visual Policy Editor and add an Access Control List in accordance with the SSP and site configuration documentation. If the VPN is not terminated directly on the BIG-IP and the BIG-IP filters traffic from the VPN access points: 1. Security. 2. Network Firewall. 3. Policies. 4. <Policy Name> 5. Add rules to filter VPN traffic. 6. Click "Commit Changes to System".