Detections
Analytics

DISA F5 BIG-IP TMOS VPN STIG v1r1

Audit Details

Name: DISA F5 BIG-IP TMOS VPN STIG v1r1

Updated: 12/19/2025

Authority: DISA STIG

Plugin: F5

Revision: 1.0

Estimated Item Count: 12

File Details

Filename: DISA_STIG_F5_BIG-IP_TMOS_VPN_v1r1.audit

Size: 37.7 kB

MD5: b3d3553f7e9d172ff69baf9be4ad7148
SHA256: e33f2db821c5402cd622af6f9cf62aa0e54ec3d7228028a48c11db1a0669998e

Audit Items

DescriptionCategories
F5BI-VN-300004 - The F5 BIG-IP appliance must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.

ACCESS CONTROL

F5BI-VN-300005 - The F5 BIG-IP appliance IPsec VPN Gateway must use AES256 or higher encryption for the Internet Key Exchange (IKE) proposal to protect confidentiality of remote access sessions.

ACCESS CONTROL

F5BI-VN-300006 - The F5 BIG-IP appliance IPsec VPN must use AES256 or greater encryption for the IPsec proposal.

ACCESS CONTROL

F5BI-VN-300009 - The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.

ACCESS CONTROL

F5BI-VN-300021 - The F5 BIG-IP appliance IPsec VPN Gateway must use Internet Key Exchange (IKE) for IPsec VPN Security Associations (SAs).

CONFIGURATION MANAGEMENT

F5BI-VN-300024 - The IPsec BIG-IP appliance must use IKEv2 for IPsec VPN security associations.

CONFIGURATION MANAGEMENT

F5BI-VN-300025 - The F5 BIG-IP appliance IPsec VPN Gateway must renegotiate the IPsec Phase 1 security association after eight hours or less.

IDENTIFICATION AND AUTHENTICATION

F5BI-VN-300026 - The F5 BIG-IP appliance IPsec VPN must renegotiate the IKE Phase 2 security association after eight hours or less.

IDENTIFICATION AND AUTHENTICATION

F5BI-VN-300033 - For accounts using password authentication, the F5 BIG-IP appliance site-to-site IPsec VPN Gateway must use SHA-2 or later protocol to protect the integrity of the password authentication process.

IDENTIFICATION AND AUTHENTICATION

F5BI-VN-300040 - The F5 BIG-IP appliance IPsec VPN must use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.

SYSTEM AND COMMUNICATIONS PROTECTION

F5BI-VN-300041 - The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).

SYSTEM AND COMMUNICATIONS PROTECTION

F5BI-VN-300044 - The F5 BIG-IP appliance IPsec VPN Gateway must specify Perfect Forward Secrecy (PFS) during Internet Key Exchange (IKE) negotiation.

SYSTEM AND COMMUNICATIONS PROTECTION