The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-266280 | SRG-NET-000019-VPN-000040 | F5BI-VN-300009 | SV-266280r1024917_rule | 2024-09-09 | 1 |
| Description |
|---|
| Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. |
| ℹ️ Check |
|---|
| From the BIG-IP GUI: 1. Network. 2. IPsec. 3. IPsec Policies. 4. Click on IPsec Policy for site to site IPsec. 5. Verify that "ESP" is selected in the IPsec Protocol section. If the BIG-IP is not configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies, this is a finding. |
| ✔️ Fix |
|---|
| From the BIG-IP GUI: 1. Network. 2. IPsec. 3. IPsec Policies. 4. Click on IPsec Policy for site to site IPsec. 5. Select "ESP" in the IPsec Protocol section. 6. Click "Update". |