An error occurred:

F5 BIG-IP TMOS NDM STIG Version Comparison

F5 BIG-IP TMOS NDM Security Technical Implementation Guide

Comparison

There are 2 differences between versions v1 r1 (Sept. 26, 2024) (the "left" version) and v1 r2 (July 2, 2025) (the "right" version).

Check F5BI-DM-300036 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

The F5 BIG-IP appliance must be configured to synchronize internal information system clocks using redundant authoritative time sources.

Check Content

From the BIG-IP Console, issue the following commands: tmsh list sys ntp include #Verify there is a line similar to the following with more than one "server" listed #server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> If the BIG-IP appliance is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.

Discussion

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Fix

From the BIG-IP Console, issue the following commands: tmsh edit sys ntp all-properties #Replace the "include" section with the following (add as many ntp server lines as necessary for the environment): include "server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys>" tmsh save sys config