Revision 1.6Sep 9, 2025

2.5 Ensure External Users' has access to needed Partitions only
2.6 Ensure External Users' Terminal Access is Disabled
3.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for Configuration utility sessions
3.2 Ensure access to Configuration utility by clients using TLS version 1.2 or later
4.2 Ensure 'Idle timeout' is less than or equal to 10 minutes for SSH connections
4.3 Ensure 'Idle timeout' is less than or equal to 10 minutes for tmsh sessions
4.4 Ensure 'Idle timeout' is less than or equal to 10 minutes for serial console sessions
4.5 Ensure minimum SSH Encryption algorithm is set to aes128-cbc
4.6 Ensure to set SSH MAC algorithm to hmac-sha2-256
4.7 Ensure to set Strong SSH KEY Exchange algorithm
4.8 Ensure access SSH to CLI interface is restricted to needed IP addresses only
5.1 Ensure redundant NTP servers are configured appropriately
5.2 Ensure to exclude inode information from ETags HTTP Header
5.3 Ensure port lockdown for self IP is set
5.4 Ensure to disable unused services in BIG-IP configuration
6.1 Ensure that SNMP access is allowed to trusted agents IPs only
6.5 Ensure that Remote Syslog Servers are configured

1.1.1 Ensure default password of root is not allowed
1.1.2 Ensure default password of admin is not used
2.5 Ensure External Users' has access to needed Partitions only
2.6 Ensure External Users' Terminal Access is Disabled
3.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for Configuration utility sessions
3.2 Ensure access to Configuration utility by clients using TLS version 1.2 or later
4.2 Ensure 'Idle timeout' is less than or equal to 10 minutes for SSH connections
4.3 Ensure 'Idle timeout' is less than or equal to 10 minutes for tmsh sessions
4.4 Ensure 'Idle timeout' is less than or equal to 10 minutes for serial console sessions
4.5 Ensure minimum SSH Encryption algorithm is set to aes128-cbc
4.6 Ensure to set SSH MAC algorithm to hmac-sha2-256
4.7 Ensure to set Strong SSH KEY Exchange algorithm
4.8 Ensure access SSH to CLI interface is restricted to needed IP addresses only
5.1 Ensure redundant NTP servers are configured appropriately
5.2 Ensure to exclude inode information from ETags HTTP Header
5.3 Ensure port lockdown for self IP is set
5.4 Ensure to disable unused services in BIG-IP configuration
6.1 Ensure that SNMP access is allowed to trusted agents IPs only
6.2 Ensure minimum SNMP version is set to V3 for agent access
6.5 Ensure that Remote Syslog Servers are configured

1.1.3 Configure Secure Password Policy
3.3 Ensure access to Configuration utility is restrcited to needed IP addresses only
4.1 Ensure Prelogin 'Login Banner' is set
6.3 Ensure to lockdown access logs to \"Administrator , Resource Administrator and Auditor \" roles only
6.4 Ensure that audit logging for \"MCP, tmsh and GUI\" is set to enabled

1.1.3 Configure Secure Password Policy - Ensure Maximum Login Failures
1.1.3 Configure Secure Password Policy - EnsurePassword Memory
1.1.3 Configure Secure Password Policy - Expiration Warning
1.1.3 Configure Secure Password Policy - Maximum Duration
1.1.3 Configure Secure Password Policy - Minimum Duration
1.1.3 Configure Secure Password Policy - Minimum Password Length
1.1.3 Configure Secure Password Policy - Required Lowercase
1.1.3 Configure Secure Password Policy - Required Numeric
1.1.3 Configure Secure Password Policy - Required Special Characters
1.1.3 Configure Secure Password Policy - Required Uppercase
1.1.3 Configure Secure Password Policy - Secure Password Enforcement
1.1.3 Configure Secure Password Policy - User Lockout
3.3 Ensure access to Configuration utility is restricted to needed IP addresses only
4.1 Ensure Prelogin 'Login Banner' is set - Enabled
4.1 Ensure Prelogin 'Login Banner' is set - Login Banner
6.3 Ensure to lockdown access logs to 'Administrator , Resource Administrator and Auditor ' roles only
6.4 Ensure that audit logging for 'MCP, tmsh and GUI' is set to enabled