F5 BIG-IP Access Policy Manager STIG Version Comparison

There are 14 differences between versions v2 r2 (Nov. 27, 2023) (the "left" version) and v2 r4 (Jan. 30, 2025) (the "right" version).

Check F5BI-AP-000231 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.

Check Content

If the BIG-IP appliance does not provide PKI-based user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Verify an "OSCP Auth" object is configured in the Access Profile VPE AND that the fallback branch of this object leads to a "Deny" ending. If the BIG-IP appliance is not configured to deny access when revocation data is unavailable, this is a finding.

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Caching of CRL files on BIG-IP is not feasible or possible due to the large sizes of DOD/DISA CRL files. Use the alternate mitigation, configuring the system to deny access when revocation data is unavailable, which is done in the APM VPE.

Fix

Update the OCSP Auth. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Add an "OCSP Auth" in the Access Profile. Note: To create an OCSP Responder, go to Access >> Authentication >> OCSP Responder. 6. Ensure the fallback branch goes to a "Deny" ending. 7. Click "Apply Access Policy".