Embed Size (px)
Citation preview
2009/2012 F5® Networks 1
Common Criteria Supplement EAL2
F5® Networks BIG-IP® Local Traffic Manager
Release: 10.2.2
Release Date: March 8, 2013
Document ID: 10-2020-R-0039 Version: 3.1 Prepared By: M. Steinhour F5 Networks
Prepared For: F5 Networks
401 Elliott Avenue West Seattle, WA 98119
2009/2012 F5® Networks 2
Table of Contents DOCUMENT HISTORY ....................................................................................................... 3
1 PURPOSE .................................................................................................................. 6
1.1 DEFINITIONS.......................................................................................................... 6
1.1.1 Acronyms ...................................................................................................... 8
2 EXCLUDED ASPECTS ........................................................................................... 9
2.1 SECURITY RELEVANT ............................................................................................ 9
2.2 NON-SECURITY RELEVANT .................................................................................. 11
3 PREPARATIVE PROCEDURES ......................................................................... 13
3.1 RECEIPT AND PREPARATION OF TOE AND ENVIRONMENT PRIOR TO INSTALLATION 13
3.1.1 Receipt ........................................................................................................ 13
3.1.2 Environment preparation ............................................................................ 13
3.1.3 Prior to installation ...................................................................................... 13
3.2 VERIFICATION OF COMMON CRITERIA EVALUATED CONFIGURATION ................ 15
3.2.1 Common Criteria Excluded Aspects ........................................................... 15
3.2.2 Verification of Common Criteria components ........................................... 15
3.3 F5 INSTALLATION OF APPLIANCE HARDWARE .................................................... 16
3.4 ACTIVATE THE SOFTWARE LICENSE .................................................................... 16
3.5 SETTING BASIC SYSTEM INFORMATION............................................................... 16
3.5.1 Configure the Management Interface ......................................................... 16
3.5.2 Set Administrator Username/Password ...................................................... 17
3.6 REINSTALL THE SOFTWARE AND VERIFY THE INSTALLED SOFTWARE ................. 18
3.7 COMPLETING INSTALLATION ............................................................................... 20
3.8 CREATE A TMSH USER ......................................................................................... 20
3.9 ACTIVATE COMMON CRITERIA MODE ................................................................. 20
3.10 FINAL INSTALLATION NOTE: ............................................................................ 21
4 F5 BIG–IP OPERATIONAL USER GUIDE SUPPLEMENT ........................... 22
4.1 ESTABLISHING LOCAL USERS AND ROLES ............................................................ 22
4.1.1 Defining user passwords ............................................................................. 22
4.1.2 Changing Default User Role ....................................................................... 22
4.1.3 Deleting an explicit user-role designation .................................................. 22
2009/2012 F5® Networks 3
4.2 VLAN SETTINGS ................................................................................................. 23
4.3 CONFIGURING REDUNDANCY SETTINGS .............................................................. 23
4.3.1 Failover settings .......................................................................................... 23
4.3.2 VLAN fail-safe settings .............................................................................. 24
4.3.3 System fail safe parameters ........................................................................ 24
4.3.4 Connection Mirroring ................................................................................. 24
4.3.5 ConfigSync Encryption ............................................................................... 24
4.4 REVIEW OF AUDIT LOG RECORDS ........................................................................ 24
4.5 (OPTIONAL) CONFIGURING EMAIL FOR SYSTEM VIOLATION ALERTS ................. 25
4.6 SECURITY SETTINGS ............................................................................................ 27
4.6.1 Re-encrypting traffic ................................................................................... 27
4.6.2 Ciphers and key lengths .............................................................................. 27
4.7 AUTHENTICATION SERVER SETTINGS .................................................................. 27
4.7.1 LDAP Settings ............................................................................................ 28
4.7.2 RADIUS Settings ........................................................................................ 28
4.8 COOKIE ENCRYPTION SETTINGS .......................................................................... 28
4.9 ADDITIONAL SERVERS AND SETTINGS ................................................................. 28
4.10 ADDITIONAL CONFIGURATION AND OPERATIONAL NOTES ............................... 28
4.11 SYNCHRONIZING THE COMPLETED CONFIGURATION ....................................... 32
5 APPENDIX A: REFERENCE DOCUMENTS .................................................... 33
6 APPENDIX B: SAMPLE PACKING LISTS ....................................................... 37
7 APPENDIX C: TAMPER SEAL ON THE 6900 AND 8900 ............................... 38
8 APPENDIX D: TAMPER SEAL ON THE 11050 ............................................... 39
9 APPENDIX E: CRYPTOGRAPHIC KEY SUPPORT ....................................... 40
10 APPENDIX F: EVENT LOG RECORDS ............................................................ 41
10.1 VIEWING EVENT LOG RECORDS ...................................................................... 41
10.2 SEARCHING AND SORTING EVENT LOG RECORDS ............................................ 46
11 APPENDIX G: ALERT DESCRIPTIONS FOR OPTIONAL EMAIL ALERTS 49
Document History Document Version
Date Author Comments
2009/2012 F5® Networks 4
0.1 6/15/10 M. McAlister Initial Release
0.2 03/10/11 M. Steinhour Corrected guidance document list, document references, and configuration steps. Clarified guidance.
0.3 04/07/11 M. Steinhour Update per Infogard comments and other minor changes
0.4 04/20/11 M. Steinhour Update wording per Infogard comments and add packing list examples.
0.5 5/3/11 M. Steinhour Add instructions for creating a tmsh user, and correct ccmode run command.
0.6 6/8/11 M. Steinhour Clarifications
0.7 7/19/11 M. Steinhour Add ISO reinstall of software to address ALC.DEL verdict
0.8 7/25/11 M. Steinhour Final documentation updates in Appendix A
0.9 7/27/11 M. Steinhour Handle 7/26-27/11 issues
1.0 7/28/11 M. Steinhour Handle 7/26/11 OPE issues
1.1 8/26/11 M. Steinhour Consistency and exclusion issues
1.2 8/31/11 M. Steinhour More consistency and exclusion issues
1.3 09/28/11 M.Steinhour Verdicts v1.0
1.4 11/10/11 M.Steinhour Verdicts v1.1
1.5 12/06/11 M.Steinhour Verdicts v1.2
1.6 12/22/11 M.Steinhour Exclude iControl
1.7 08/01/12 M.Steinhour Minor changes to match other doc updates, updates for TVOR issues
1.8 08/06/12 M.Steinhour Minor updates from testing issues
1.9 08/09/12 M.Steinhour Additional updates from testing
2.0 08/30/12 M.Steinhour Additional updates from testing, issues list
2.1 10/07/12 M.Steinhour Additional updates based on tests and detailed ST review
2.2 10/20/12 M.Steinhour Clarifications and auditing details
2.3 10/30/12 M.Steinhour Updates per 2012-10-29 comments
2.4 11/19/12 M.Steinhour Minor updates
2.5 11/26/12 M. Steinhour Add statement to contact support if problems
2009/2012 F5® Networks 5
2.6 11/30/12 M. Steinhour Note publish doc error
2.7 12/04/12 M. Steinhour Additional alert descriptions
2.8 12/06/12 M. Steinhour Fix alert description
2.9 12/12/12 M. Steinhour Final updates
3.0 02/07/13 M. Steinhour FVOR updates
3.1 03/08/13 M. Steinhour FVOR cleanup
2009/2012 F5® Networks 6
1 Purpose The purpose of this document/assurance measure is to supplement the existing Target of Evaluation (TOE) user documentation for the BIG-IP system. Conformance with this supplemental instruction in addition to the applicable sections of the primary documentation is intended to result in deployment and configuration of the TOE consistent with the Common Criteria1 evaluated configuration identified in the F5 BIG-IP Security Target.
1.1 Definitions
Administrative-user(s) Refers to a user of the BIG-IP appliance (not of the traffic it mediates) holding any of the supported roles; used to globally characterize TOE users within this ST.
Administrative-user(s), Default “Default Administrative-user” refers specifically to the one administrative-user ID required to be locally authenticated and available in case remote access is not possible
Administrator role This role grants users complete access to all partitioned and non-partitioned objects on the system. In addition, accounts with the Administrator role can perform configuration synchronization on a redundant system. These users can change their own passwords.
Application Editor This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects on the system and change their own passwords.
Authenticated Traffic User This term connotes a user of the traffic which traverses the BIG IP appliance but not a direct user of the appliance itself which is required to authenticate with through the TSF prior to access backend server resources. This is a role within the BIG-IP appliance and is a member of the traffic users grouping term.
Guest role This role grants users permission to view all objects on the system and change their own passwords.
iRules™ An iRule is a user-written script that controls the behavior of a connection passing through the LTM system. iRules™ are
1 Common Criteria is an Information Technology Security Evaluation program adopted by the National Information Assurance Partnership (NIAP). NIAP is collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). NIAP has established the Common Criteria Evaluation Validated Scheme (CCEVS) to validate IT products. Common Criteria is also referred to as ISO 15408.
2009/2012 F5® Networks 7
an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. However, iRules can perform other tasks, such as implementing secure network address translation and enabling session persistence. iRules can define criteria for pool-member selection, as well as perform content transformations, logging, custom protocol support.
Manager role This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRulesTM. These users can view all objects on the system and change their own passwords.
No Access role This role prevents users from accessing the system. It is commonly applied to all users defined on a remote authentication server except for those specifically identified as BIG-IP® administrators.
Node An application client server within the BIG-IP® managed environment
Operator role This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.
Pool A grouping of Nodes or application server clients
Resource Administrator role This role grants users complete access to all partitioned and non-partitioned objects on the system, except user account objects. These users can perform configuration synchronization on a redundant system.
Self-IP A Self-IP is an IP address that the TM/OS takes for itself on a VLAN. You can use a Self-IP to access the GUI.
Unauthenticated traffic user Role within the BIG-IP appliance to indicate a user of traffic flowing through the TOE to backend servers which does not require authentication support from the BIG-IP appliance.
User Manager role Users with the User Manager role that have access to all partitions can create, modify, delete, and view all user accounts except those that are assigned the Administrator role, or the User Manager role with different partition access. Accounts with the User Manager role can also change their own passwords.
2009/2012 F5® Networks 8
1.1.1 Acronyms CC Common Criteria
DoS Denial of Service
FIPS Federal Information Processing Standard
FTP File Transfer Protocol
GTM Global Traffic Management
GUI Graphical User Interface
HTTP Hypertext Transport Protocol
HTTPS Hypertext Transport Protocol (Secure)
LDAP Lightweight Directory Access Protocol
LTM Local Traffic Management
OpenSSH Open Secure Shell
OS Operating System
RADIUS Remote Authentication Dial In User Service
TCP Transmission Control Protocol
TLS Transport Layer Security
TOE Target of Evaluation
Self-IP Self IP address
SSL Secure Socket Layer
SFP Security Function Policy
SSH Secure Shell
SMTP Simple Mail Transfer Protocol
UI User Interface
VLANs Virtual Local Area Networks
VNIC Virtual Network Interface Card (driver)
2009/2012 F5® Networks 9
2 Excluded Aspects
2.1 Security Relevant This section identifies any security relevant items that are specifically excluded from the TOE. Administors of BIG-IP Common Criteria configurations must not include or use these modules and features, and must disregard all mention of use or configuration in the guidance documents.
1. Application templates – configurations restricted to manual approach (procedurally enforced).
2. The following modules, as they are separately licensed and not included in the CC Evaluated Configuration:
a. BIG-IP Global Traffic Manager
b. BIG-IP Link Controller
c. BIG-IP Application Security Manager
d. BIG-IP WebAccelerator System
e. BIG-IP WAN Optimization Module
f. BIG-IP Access Policy Manager
g. BIG-IP Message Security Module
3. Application Security Policy Editor role, which is not included in a BIG-IP configuration except as part of the Application Security Module.
4. Always-On Management (AOM) – SSH access to AOM is disabled unless configured, and the Common Criteria evaluated configuration does not configure SSH for AOM. Serial console access to AOM is procedurally excluded from the Common Criteria Evaluated Configuration
5. bash shell – disabled by Appliance mode.
6. Bigpipe Utility Command Line Interface (CLI) and Bigpipe Shell (bpsh) – deprecated in this release and therefore procedurally excluded. Note that:
a. Users must not be created with the capability to access the bigpipe shell, either through the GUI or tmsh;
b. The bigpipe shell must not be accessed though the tmsh “run /util bigpipe shell“ command;
c. The bigpipe utility commands must not be accessed through the “run /util bigpipe <command>” command.
7. SNMP (Remote Management of BIG-IP) is disabled via configuration script, therefore references to SNMP in the environment do not apply. However, email notification of alerts relies on modifying the alertd configuration file, which uses the snmptrap statement format to define the alert. References to snmptrap in that context do apply.
2009/2012 F5® Networks 10
8. FIPS hardware, including hardware-based SSL offloading.
9. iSessions (relates to data center to data center deployment models) - requires BIG-IP® WAN Optimization Module which is not included in TOE.
10. Editing the configuration files specified in the TMOS Management Guide is excluded. The GUI or tmsh must be used for all system configuration.
11. IMI and VTY shells.
12. The ability to configure the TOE via the appliance LCD display is disabled except during initial configuration.
13. Serial port.
14. Kerberos server. This is not enabled unless configured, and the Common Criteria evaluated configuration does not configure Kerberos. Note that the default Kerberos profile says that it is enabled, but without fully configuring the profile and attaching it to a virtual server, Kerberos itself is not configured and not usable. Thus, by default, Kerberos itself is not enabled.
15. iControl interface is procedurally excluded since all of the function it provides is also provided with the GUI and tmsh interfaces.
16. Note that since CRLs can quickly become outdated, their use and that of CRLDPs is excluded from the TOE. Therefore, an OCSP server is required in the Operational Environment for certificate revocation checks.
17. The following profiles (based on the list in the Configuration Guide for BIG-IP Local Traffic Manager, Chapter 5 (Understanding Profiles), section “Profile Types”)
a. Services profiles: RTSP, Diameter, and iSession
b. Persistence profiles: Microsoft Remote Desktop
c. Protocol profiles: SCTP
d. SSL profiles: None
e. Authentication profiles: Kerberos Delegation
f. Other profiles: NTLM and Stream.
18. Protocol sanitization for protocols other than HTTP, FTP, and SMTP.
19. Ciphers other than those specified in Appendix A – Cryptographic Key Support in the F5® Networks BIG-IP® Local Traffic Manager Release: 10.2.2 with Advanced Client Authentication and Protocol Security modules Security Target EAL 2 augmented ALC_FLR.2. Note that the CCMODE script described in Section 3.9 changes the cryptographic defaults as they are described in guidance documents and supercedes those documents.
20. Cryptographic-related protocols other than SSHv2, SSLv3, and TLSv1.0.
21. Any features requiring root access to configure, since access to root is disabled via Appliance Mode. This includes, for example, Remote encrypted logging, since
2009/2012 F5® Networks 11
Appliance Mode precludes the ability to configure the SSH tunnel required for that function.
22. The gencert utility is excluded since it’s only accessible through excluded shells.Key and certificate generation should be accomplished through the GUI instead.
23. References to CORBA, which is not used in the BIGIP.
24. TACACS+ is excluded as a remote authentication server.
25. Network boot
26. Software updates to the common-criteria evaluated configuration.
27. Batch mode tmsh transactions
2.2 Non-security relevant This section identifies aspects of the TOE that were not evaluated as part of the Common Criteria Evaluation. With the exception of those items listed as “separately licensed and not included with the TOE”, items in this category include those features which may provide significant functional capability within the TOE and may be used by customers but are not security relevant.
Those items listed as “separately licensed and not included with the TOE” may have security-relevant aspects and should not be used with a Common Criteria evaluated configuration without careful review.
1. WebAccelerator™ Module (WAM) - separately licensed and not included with the TOE.
2. Link Controller (LC) - separately licensed and not included with the TOE.
3. Global Traffic Manager (GTM) - separately licensed and not included with the TOE.
4. Application Policy Module (APM) - separately licensed and not included with the TOE.
5. Enterprise Manager – separately licensed and not included with the TOE.
6. F5 Management Pack – separately licensed and not included with the TOE.
7. Advanced Routing – separately licensed and not included with the TOE.
8. Optimization of network and application traffic; load balancing.
9. HTTP compression.
10. Caching.
11. Aggregation of client requests.
12. Routing around slower or degraded routes.
13. Selective data compression.
2009/2012 F5® Networks 12
14. Windows NT LAN Manager authentication protocol (NTLM). The BIG-IP passes this protocol through, but does not itself perform NTLM authentication.
15. Network resource monitoring.
16. Trunk (link aggregation).
17. Spanning Tree Protocols
18. Network Tunnels
19. Bigtop utility – this utility provides statistical monitoring only.
20. SNAT – “Source NAT”. BIG-IP implements SNAT as mapping a source client IP address to a translation address defined on the BIG-IP system.
21. Booting from different volumes. The BIG-IP may be configured with multiple volumes but only booting from the slot containing the Common Criteria-evaluated configuration is recommended.
2009/2012 F5® Networks 13
3 Preparative Procedures This section supplements the reference documents listed in Section 6 Appendix A: Reference Documents.
Before you begin, the Administrators of the BIG-IP appliance must review all associated documentation and guidance referenced in Section 5 prior to proceeding with installation and administration of the device. Administration of the BIG-IP appliance requires a base of knowledge in networking and traffic management. The user is responsible to ensure that qualified personnel complete all tasks described herein and in references.
3.1 Receipt and preparation of TOE and Environment prior to installation
3.1.1 Receipt • Verify all components are included per the packing list and are undamaged. See
Appendix B: Sample Packing Lists for the document numbers of the packing lists for each appliance.
• Assure that the tamper seals are intact on BIG-IP chassis. See Section 7 Appendix C: Tamper seal on the 6900 and 8900 and Section 8 Appendix D: Tamper Seal on the 11050 for illustrations of the tamper seals.
3.1.2 Environment preparation • The BIG-IP system must be installed in a secure location that provides physical
protection. The level of security provided should be commensurate with customer policy for IT Environment secured assets.
3.1.3 Prior to installation • Assure that the Administrative-users of the BIG-IP appliance are appropriately
trained and abide by the instructions provided in this guidance documentation. Administrative-users should have taken F5 BIG-IP LTM courses such as BIG-IP Local Traffic Manager Essentials, BIG-IP Local Traffic Manager Advanced Topics, and Configuring BIG-IP Local Traffic Manager (see http://www.f5.com/support/training-certification/course-descriptions/ for details), or equivalent. Administrative-users should also be knowledgeable about their company’s security policies.
• Assure that the TOE Environment includes provisions for access control mechanisms that will protect TOE Security Function data to include:
2009/2012 F5® Networks 14
o Proper establishment of authentication servers (LDAP (v3 or higher) or RADIUS (RFC 2865) (as required)
o Note that as long as the configuration guidance for the CC evaluated configuration is followed, there will be no general purpose computing or storage repository capabilities available on the BIG-IP systems.
• Assure that you have access to a supported browser on the client machine you will be using for Administrative-user access. Supported browsers for the BIG-IP System Configuration Utility are:
o Microsoft® Internet Explorer® version 7.0x or later2 o Mozilla® Firefox®, version 3.0x or later
It is recommended that the browser cache options are left at the default settings, and that popup blockers and other browser add-ons or plug-ins be disabled . If you plan to use the BIG-IP Dashboard (Overview -> Dashboard from the GUI Main page) to view statistics, the browser must have Abobe™ Flash Player version 9 or later installed. In addition, during the login process for Administrative-user access to the GUI, Administrative User credentials are entered through the browser and are cached within the browser. In order to prevent unauthorized access using these credentials, the browser application should be closed following the Administrative browser session. No browsers other than the supported browsers listed above should be used.
• Assure that networks are secure, separate, dedicated, available and established. This requires a general purpose router, three gigabit Ethernet commodity switches, and three separate networks (Management, Internal, and External) with the servers listed below on the specified network.
o Management
• Network Time Protocol (NTP v4.2.2p1 or later) Server
• OCSP (v1 or later) Server
• Mail Server supporting SMTP (RFC 2821) (optional)
• Syslog Server (v2.0.8 or later) (optional)
• Authentication Server (if desired; if a remote authentication server is not configured, local authentication will be used). LDAP (v3 or later), or RADIUS (RFC 2865)
2 The TOE was tested with Microsoft Internet Explorer version 9.0 and Mozilla Firefox version 10.0.
2009/2012 F5® Networks 15
o Internal
• Dedicated Content Server Local Area Network
• Backend Content Server resources (supporting HTTP v1.1 with SSLv3 and TLSv1, FTP (RFC 959), SMTP (RFC2821))
o External
• Wide Area Network (Internet) Access
3.2 Verification of Common Criteria Evaluated Configuration The following steps assure that the BIG-IP deployment is consistent with the hardware, software and Operational Environment components used for the Common Criteria Evaluation.
3.2.1 Common Criteria Excluded Aspects Refer to Section 2 for the features and usage types that are excluded from the Common Criteria Evaluated Configuration and therefore must not be activated or used following deployment in order to retain the CC Evaluated Configuration.
3.2.2 Verification of Common Criteria components The following are authorized components for the Common Criteria Evaluated configuration:
Hardware: Hardware Chassis Model 11050, 8900, or 6900 hardware platform (quantity 2)
o Model: 6900 SKU: F5-BIG-LTM-6900-8G-R PN: 200-0300-01
or
o Model: 8900 SKU: F5-BIG-LTM-8900-R PN: 200-0308-01
or
o Model: 11050 SKU: F5-BIG-LTM-11050-R PN: 200-0299-00
Software:
Software internal to the system is identified as:
BIG-IP® Local Traffic Manager Release 10.2.2 Build 763.3 with Hotfix-BIGIP-10.2.2-911.0-HF2Protocol Security Module (F5-ADD-BIG-PSM)
2009/2012 F5® Networks 16
Advanced Client Authentication (F5-ADD-BIG-ACA)
BIG-IP ADD-ON: Appliance Mode License (TMSH only, no root or BASH access) (F5-ADD-BIG-MODE)
To verify the hardware platform, check for the correct part number on the label installed on the appliance.
• 11050: The label is installed on the right rear side of the appliance as you face the front.
• 6900/8900: The label is installed on the bottom, right rear corner of the appliance as you face the front.
To verify the software, you will first have to establish the default administrative-user password and management port as described in Section 3.4, below. Then, follow the instructions in Section 3.5 below for verifying the installed software.
3.3 F5 Installation of Appliance Hardware Based on the appliance hardware platform in use, consult the guides below for details on how to install and rack mount the hardware appliances:
• Platform Guide: 6900 (MAN-0329-00)
• Platform Guide: 8900 (MAN-0330-00)
• Platform Guide: 11050 (MAN-0322-01)
• Setting Up the 6900/8900/8950 Platform (MAN-0288-02)
• Setting Up 11000 Series Platforms (MAN-0323-00)
3.4 Activate the Software License Follow the steps in BIG-IP® Systems: Getting Started Guide Chapter 2 (Preparing the System for Installation) “Activating the Software License” to activate the BIG-IP license.
3.5 Setting Basic System Information Execute the Configuration Setup utility as described in Chapter 2 of the BIG-IP® Systems: Getting Started Guide to enter the basic system information including a root password, administrator password, and the IP addresses that will be assigned to the management port.
3.5.1 Configure the Management Interface Use the LCD panel to configure the management port IP address, netmack, and default route, as described in BIG-IP® Systems: Getting Started Guide Chapter 2 (Preparing the System for Installation) Section “Adding an IP address, netmask, and default route”.
2009/2012 F5® Networks 17
3.5.2 Set Administrator Username/Password The Setup Utility, as run from the Configuration utility Welcome screen, allows the user to establish a secure username and password and complete basic configuration tasks.
When choosing a username/password, do not use any default values for your personal username/password. For the Common Criteria Evaluated configuration, conformance with the BIG-IP Password Policy as defined below in section 3.5.2.1 is required.
To change the admin password
1. Open a supported web browser on a workstation attached to the network on which you configured the management port.
2. Type the following URL in the browser, where <IP address> is the address you configured for the management port (MGMT): https://<IP address>/
3. At the password prompt, type the default user name, admin, and the default password, admin, and click Log in. (If you have previously changed the admin password, use that value.)
4. The Configuration utility opens. If this is the first time you have run the Configuration utility, the system presents the Licensing screen of the Setup utility. If this is not the first time you have run the Configuration utility, the system presents the main GUI screen.
5. To change the password using the Setup utility, go to the Platform tab, fill in the “Password” and “Confirm” boxes, and click “Next”. To change the password when starting at the main GUI screen, go to the “System -> Users -> User List” tab, and click on the user “admin”. Fill in the “New” and “Confirm” password boxes, and click “Update”.
6. You will be logged out and must log back in with your new admin password to do any additional configuration.
For additional information during the procedure, click the Help tab of the navigation pane.
Note: You will need to complete the steps in this section (Set Administrator Username/Password) again when you have re-installed the software. You should not reuse the password you create now after reinstalling the software.
3.5.2.1 Password Policy The minimum password policy enforced through technical mechanisms by BIG-IP for all users (except for those with the Administrator and User Manager roles) requires a password consisting of at least 8 characters, at least one of which must be from the set of capital letters, lowercase letters, numbers, and punctuation. The following is the set of available characters for password selection:
This set includes a total of 94 characters:
52 alphabetic characters (26 upper and 26 lower)
10 digits
2009/2012 F5® Networks 18
10 punctuation marks from the shifted digits
22 more punctuation marks from other keys.
In addition, the password must meet the following criteria:
• The password must not be based on the userid or password entry, or be derived or derivable from the password entry
• The password must not be based on a dictionary word or reversed dictionary word, as defined by the systems dictionaries included with the Linux PAM module
• The password must not match a former user password kept in password memory (configured as holding 0-127 former passwords per user), unless password memory is cleared by having an authorized administrative-user set the password.
After each failed authentication, there is a delay of 2 seconds to confound intruders.
Users must change their password according to a schedule defined by the administrative-user for their environment. The ccmode script sets this to a maximum of every 90 days (the minimum is the default, 0 days), but administrators may change this to a value that provides adequate protection for their environment.
It is mandatory that the administrative-users with the Administrator and User Manager roles also adhere to this policy, although the TOE appliance will not technically enforce a password policy for passwords created by those users (this includes their own passwords as well as any they set for any other user).
Note that this password policy is enforced by the BIG-IP for locally-defined users only. If possible, you should set up the password policy for remote users (those defined by an external authentication server) to meet or exceed this policy.
Consult Chapter 14 (Managing Local User Accounts: Configuring a secure password policy) of the TMOS Management Guide for BIG-IP® Systems for instructions on enabling the enforcement of the password policy.
3.6 Reinstall the Software and Verify the Installed Software Once you have completed the initial setup, you must obtain the Common Criteria-evaluated software from the F5 website, reinstall the software, and install the hotfixes.
First, download the BIG-IP 10.2.2 ISO file (see Table 1: Common Criteria Evaluated Configuration ISO files for the correct filename) as described in BIG-IP Getting Started Guide, Chapter 3 Performing the Installation: “Downloading and importing the installation file”. Then, login to a Administrator or Resource Administrator role administrative-user account and follow the instructions in the same document, section “Starting the Installation” to install the downloaded ISO.
Filename Description Size
2009/2012 F5® Networks 19
BIGIP-10.2.2.763.3.iso BIGIP-10.2.2.763.3.iso 878 MB
BIGIP-10.2.2.763.3.iso.md5 MD5 file for BIGIP-10.2.2.763.3.iso 56 Bytes
Hotfix-BIGIP-10.2.2-911.0-HF2.iso
ISO Installation File for Hotfix-BIGIP-10.2.2-911.0-HF2
151 MB
Hotfix-BIGIP-10.2.2-911.0-HF2.iso.md5
MD5 file for ISO Installation File for Hotfix-BIGIP-10.2.2-911.0-HF2
67 Bytes
HotFixNotes-BIGIP-10.2.2-911.0-HF2.html
Release Notes for Hotfix-BIGIP-10.2.2-911.0-HF2
43 KB
Table 1: Common Criteria Evaluated Configuration ISO and MD5 checksum files
Set the Administrator password as described in section 3.5.2 (above). To verify that the newly-installed software is the Common Criteria evaluated configuration (not including hotfixes), go to System -> Configuration -> Device -> General in the GUI and verify that the Version is
BIG-IP 10.2.2 Build 763.3 Final
Then, go to System -> License and verify that the Active Modules list matches the following:
• Local Traffic Manager (J385292-7637572) o ADD ACCESS POLICY MANAGER MODULE LIMITED o Local Traffic Manager Module o Protocol Security Manager Module o ADD CLIENT AUTHENTICATION o ADD IPV6 GATEWAY o ADD RATE SHAPING o ADD RAMCACHE o ADD SSL CMP o 50 MBPS COMPRESSION o SSL 500 TPS Per Core o ADD ANTI-VIRUS CHECKS o ADD BASE ENDPOINT SECURITY CHECKS o ADD FIREWALL CHECKS o ADD MACHINE CERTIFICATE CHECKS o ADD NETWORK ACCESS o ADD PROTECTED WORKSPACE o ADD SECURE VIRTUAL KEYBOARD o ADD WEB APP o ADD APP TUNNEL o ADD REMOTE DESKTOP
2009/2012 F5® Networks 20
o Appliance Mode (TMSH Only, No Root or Bash Access)
If it does not match, contact your F5 Support Contact for assistance.
Note: The items in grey italics above are shipped with the LTM license for optional evaluation use, and only available for use if specifically provisioned. Provisioning of these functions and thus use of these functions is NOT part of the Common Criteria Evaluated Configuration.
Now apply the required hotfix as specified in Table 1: Common Criteria Evaluated Configuration ISO files, following the instructions in SOL10025: Managing F5 product hotfixes for BIG-IP version 10.x systems. When the hotfix has been successfully applied, verify the version by going to the GUI: System -> Configuration -> Device -> General and verify that the Version is BIG-IP 10.2.2 Build 911.0 Hotfix HF2
If it does not match, contact your F5 Support Contact for assistance.
3.7 Completing Installation Complete the installation process by following the guidance in the BIG-IP® Systems: Getting Started Guide Chapter 4 – Completing Post-Installation Tasks. Note that you have completed the steps of configuring the management port and default adminisitrative-user password, above. Upon completion of these steps complete the remaining items below to assure configuration settings are suitable for the Common Criteria Evaluated Configuration. Use the Configuration Worksheet (PUB-0090-02 0905) as you create the system configuration to keep track of assigned IP numbers and settings for future reference.
3.8 Create a tmsh user When logged on as a user with role Administrator, go to System -> Users -> User List and click on “Create”. Add a user with Role = Administrator and Terminal Access = tmsh.
3.9 Activate Common Criteria mode The BIG-IP appliance implements certain CC configuration requirements using a script called “ccmode”. These configuration settings are enabled by entering the following command at the tmsh command line (use the tmsh user you created above to log in):
“run util ccmode”
This command enables the following configuration settings:
• Default Self-IP ports are set to “none”
2009/2012 F5® Networks 21
• Audit logs are enabled • The logging level of the TMOS is set to: “error” • The appliance LCD display is disabled. • The SNMP daemon (SNMPd) is disabled. • AES128 and AES256 ciphers are enabled for use. • The Password policy required for Common Criteria is implemented:
o Minimum Characters required (MINCHARS)=8 o Required Capital character in password (CAPITAL)=1 o Required Lowercase character in password (LOWERCASE)=1 o Required numeric character in password (NUMBER)=1 o Required punctuation/special character in password (PUNCTUATION)=1 o Set password expiration in 90 days (EXPIRES)=90 o Warning message sent 7 days before password expiration (WARNING)=7 o Maximum number of failed logins before account lockout
(MAXLOGIN)=3 o Password reuse restriction on last 3 passwords (MEMORY)=3
Changing the settings above is not permitted for the evaluated configuration, with the following exceptions:
• The logging level in the TMOS may be set to a more verbose setting • Password expiration, Warning messages for password expiration, Maximum
number of failed logins, and Password reuse restriction may only be changed to more restrictive values.
Note: the appliance LCD display setting is reset on a reboot to “enabled”. After rebooting the BIG-IP, it must be disabled in order to retain the CC-evaluated configuration. Use the tmsh commands to disable the LCD:
modify /sys global-settings lcd-display disabled
modify /sys global-settings lcd-display enabled
modify /sys global-settings lcd-display disabled
3.10 Final Installation note: Any references to Upgrading the BIG-IP Appliance (except as noted for required hotfixes) do not apply to the Common Criteria Evaluated Configuration and may result in a non-compliant state. Any re-loading of software necessitates repeating all configuration steps listed in this document to assure compliance to the Evaluated Configuration. When these steps are completed progress to the next section to configure the remaining Administrator settings and and operational environment and complete the deployment process.
2009/2012 F5® Networks 22
4 F5 BIG–IP Operational User Guide supplement This section supplements the reference documents listed in Section 6 Appendix A: Reference Documents.
Refer to Section 2 for the features and usage types that are excluded from the Common Criteria Evaluated Configuration and therefore must not be activated or used following deployment in order to retain the CC Evaluated Configuration.
The remainder of this section (Section 4 of this document) should be consulted during the deployment process to assure that the installation environment is configured using secure settings in accordance with the Common Criteria Evaluated Configuration.
4.1 Establishing local users and roles Configure the administrative accounts using the guidelines in Chapter 14 (Managing User Accounts) of the TMOS Management Guide for BIG-IP® Systems. A step by step instruction for establishing User level accounts is provided in the section “Creating local user accounts”. (Note that “user” in this case is a user of the BIG-IP appliance itself and is therefore assumed to be a Trusted Administrator.)
4.1.1 Defining user passwords The password policy defined in section 3.5.2.1 is enforced by the TOE for all local passwords with the exception of those set by a user with the Administrator or User Manager role. When operating on a user password while logged in with a username associated with one of those roles you need to manually ensure that the password conforms to the configured policy.
4.1.2 Changing Default User Role The Default Administrative-user account (“Administrator” role) is automatically configured for “full access”.
For any new users created, the BIG-IP appliance establishes a default setting of “No Access”. This is to ensure that the Administrator consciously determines and specifies the access level and role so as to avoid the potential for higher level access being granted to a new user than is appropriate. The Common Criteria Evaluated Configuration requires that all non-Administrative-users are defined with the “No Access” role for maximum security.
4.1.3 Deleting an explicit user-role designation (Reference Chapter 14 (Managing User Accounts) of the TMOS Management Guide for BIG-IP® Systems.)
When you use the Configuration utility to delete a remote user account, you are not actually deleting the account from the remote server. Instead, you are removing the explicit user-role designation that you previously assigned the account.
2009/2012 F5® Networks 23
Removing an explicit user-role designation from a remote user account causes the BIG-IP system to assign the default user role to the account.
See the section “Deleting authorization for an individual user account” for step-by-step instructions.
4.2 VLAN settings Consult Chapter 8 (Configuring VLANs and VLAN Groups) in the TMOS Management Guide for BIG-IP® Systems for guidance on setting up of the Virtual LAN (VLAN) Environments. Below are the settings to be used in lieu of those represented in Table 7.1 of the TMOS Management Guide for BIG-IP® Systems (settings not listed here remain the same).
It is recommended that when considering Virtual Network Design, that you isolate Hosts that must transmit sensitive data.
Setting Description Default Value Source Check Causes the BIG-IP system to verify that the return path
of an initial packet is through the same VLAN from which the packet originated.
Checked
Fail-safe Triggers fail-over in a redundant system when certain VLAN-related events occur.
Checked
Table 2: Secure values for a VLAN
4.3 Configuring Redundancy Settings When configuring the BIG-IP units for the Common Criteria Evaluated Configuration they are required to be set in the Active-Standby configuration.
Consult Chapter 20 (Configuring High Availability) in TMOS Management Guide for BIG-IP® Systems and use the settings described below to establish the required High Availability, Redundant Pair Configuration.
4.3.1 Failover settings
Failover settings must be set to the “Active – Standby” configuration.
See Chapter 20 (Configuring High Availability) section “Configuring redundancy properties” in TMOS Management Guide for BIG-IP® Systems for details.
2009/2012 F5® Networks 24
4.3.2 VLAN fail-safe settings When configuring VLAN fail-safe, the Fail-safe Timeout value should be the default value of 30 seconds, and “Fail-over” should be the action that the BIG-IP system should take when the timeout expires.
To verify or set these values, see TMOS Management Guide for BIG-IP® Systems Chapter 20 (Configuring High Availability) section “Configuring VLAN fail-safe”.
4.3.3 System fail safe parameters To ensure redundant-system designation for a unit, the system fail-safe Switch Board Failure “Fail Over” setting arranges for the two redundant appliances to operate in Active-Standby, thus transferring traffic to the standby unit in the event of primary appliance hardware failure. To configure this setting, see TMOS Management Guide for BIG-IP® Systems Chapter 20 (Configuring High Availability) section “Configuring system fail-safe / Configuring hardware-component monitoring”.
4.3.4 Connection Mirroring In addition to the foregoing High Availability configuration options, the Evaluated Configuration requires that Connection Mirroring be enabled.
The connection mirroring feature on the BIG-IP system duplicates a unit’s state (that is, real-time connection and persistence information) on the peer unit. When connection mirroring is enabled, failover can be so seamless that file transfers can proceed uninterrupted and servers can generally continue with the services at the time of failover. See the section “Configuring network mirroring” in Chapter 20 (Configuring for High Availability) of the TMOS Management Guide for BIG-IP® Systems for step-by-step instructions on setting up connection (network) mirroring.
4.3.5 ConfigSync Encryption Finally, the Common Criteria Evaluated Configuration requires that configuration data be encrypted immediately prior to synchronization. See the section “Enabling encryption” in Chapter 20 (Configuring for High Availability) of the TMOS Management Guide for BIG-IP® Systems for instructions on enabling ConfigSync encryption.
4.4 Review of Audit Log records Logging audit event messages is not enabled by default. Refer to TMOS Management Guide for BIG-IP® Systems Chapter 23 (Logging BIG-IP System Events), section “Setting log levels for auditing events” for instructions on enabling audit logging. The following values must be set; all others may remain as the default values:
2009/2012 F5® Networks 25
System -> Logs -> Options -> Local Traffic Logging: MCP = Notice
System -> Logs -> Options -> Audit Logging: MCP = Enable
System -> Logs -> Options -> Audit Logging: bigpipe = Enable
Command-function audit log events are those which log GUI command processing or tmsh command processing. These can be enabled and disabled, but it is recommend that they be enabled for the Common Criteria-enabled configuration. Audit logs also contain system event log records, but the logging of these events cannot be disabled.BIG-IP Administrative-users for the Common Criteria Evaluated configuration should assure that audit logs are reviewed on a timely basis to identify security events, since when the allocated space within the appliance is reached, audit records will be overwritten in an oldest record first manner. Note that the audit log review time is installation-dependent since it depends on how many audit log entries are generated and the size of the allocated space. Customers should monitor audit log storage to determine what review time works best for them.
4.5 (Optional) Configuring Email for System Violation Alerts To configure the system to send alerts via email when specific system violation log events are triggered, follow these steps:
1. Configure the BIG-IP to deliver locally-generated email messages, a. Configure the /etc/postfix/main.cf file to point to the destination mail
server. The exact configuration is dependent on the customer’s network and email setup.
i. On the machine on which you want to edit the file, copy the existing /etc/postfix/main.cf file from the BIG-IP:
1. scp <admin-user>@<BIG-IP_IP_address>:/etc/postfix/main.cf main.cf
ii. Using a text editor, edit the main.cf file to configure postfix and point to the destination mail sever.
iii. Copy the updated file back to the BIG-IP: 1. scp main.cf <admin-user>@<BIG-
IP_IP_address>:/etc/postfix/main.cf iv. Note that you will need to do the previous step twice, once for each
of the two BIG-IPs in the redundant pair. b. Stop and start the postfix service on each BIG-IP.
i. In the GUI, go to System -> Services ii. In tmsh,
stop sys service postfix start sys service postfix
2. Configure alertd to specify the destination email address and the alerts for which you want to receive mail.
a. On the machine on which you want to edit the file, copy the existing /etc/alertd/alert.conf file from the BIG-IP:
i. scp <admin-user>@<BIG-IP_IP_address>:/etc/alertd/alert.conf alert.conf
2009/2012 F5® Networks 26
b. Using a text editor, edit the alert.conf file to configure the alerts for which you want email
i. For each alert definition for which you want to receive email, add a semicolon ( ; ) character to the end of the existing snmptrap line, then add the following lines between the snmptrap line and the terminating curly brace: email toaddress="" fromaddress="" body="" where the toaddress is the destination email address, the fromaddress is the source address (a user on the BIG-IP), and the body is any text you wish to display in the email. Example: alert BIGIP_SHELL_BP_CONFIGURATION_LOADED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.28"; email toaddress="[email protected]" fromaddress="root" body="The test of this Solution worked!" }
c. Copy the updated file back to the BIG-IP: i. scp alert.conf <admin-user>@<BIG-
IP_IP_address>:/etc/alertd/alert.conf d. Note that you will need to do the previous step twice, once for each of the
two BIG-IPs in the redundant pair. e. Restart the alertd process on each BIG-IP.
i. In tmsh, stop sys service alertd start sys service alertd
In the scp commands above, <admin-user> is an administrative-user with the Administrator role, and <BIG-IP IP address> is the IP address of the BIG-IP from which you are getting or putting the file.
Additional notes on configuring alert.conf: 1. Do not change the alerts other than to add the email information as described
above. Changing the alerts in any other way will have a ripple effect and is not part of the Common Criteria evaluation configuration.
2. Do not change anything else in the alert.conf file unless you know precisely what you are doing. Any changes to the file other than adding the email configuration to the alerts is not required and not recommended.
3. Ignore the comments in the alert.conf file; they are not intended to provide user guidance.
4. See Appendix G: Alert Descriptions for Optional Email Alerts for descriptions of the alerts in alert.conf.
2009/2012 F5® Networks 27
4.6 Security Settings The following security related features and settings are crucial to the system performing in the CC Evaluated Configuration. Verify the following settings to assure the following security settings are set to the listed values.
4.6.1 Re-encrypting traffic Any SSL virtual server may be configured with both ClientSSL and ServerSSL profiles.
For details on configuring the SSL virtual server, see Configuration Guide for BIG-IP® Local Traffic ManagerTM Chapter 10 (Managing SSL traffic), section “Configuring SSL profile settings.”
Note that when client-side SSL management is configured, you should ensure that your internal network is protected against sniffers.
4.6.2 Ciphers and key lengths Only the ciphers and key lengths specified in section 9 are valid for the CC Evaluated configuration. Any certificates or key pairs used in this configuration should be generated by a third-party CA (your own trusted CA/PKI infrastructure) and imported into the TOE. The administrative-user responsible for certificates and keys for this configuration is responsible for ensuring that the restrictions are enforced.
To manage SSL certificates and keys for local traffic, refer to the Configuration Guide for LTM, Chapter 9 “Managing SSL Certificates for Local Traffic”. Be sure to specify a conforming key size when requesting a certificate from a CA.
To manage SSL certificates for the BIG-IP (or communications between the two BIG-IPs of the redundant pair), refer to the TMOS Management Guide for BIG-IP Systems, Chapter 3 “Managing SSL Certificates for BIG-IP Systems.” Be sure to specify a conforming key size when requesting a certificate from a CA.
4.7 Authentication Server Settings Two types of remote administration authentication servers are approved for use in the CC Evaluated configuration:
• LDAP - Lightweight Directory Access Protocol
• RADIUS - Remote Authentication Dial In User Service
Refer to Chapter 14 (Managing User Accounts) of the TMOS Management Guide for BIG-IP® Systems, section “Specifying a remote user-account server” for instructions on configuring the remote servers. Below are details on specific configuration settings for the chosen server.
2009/2012 F5® Networks 28
4.7.1 LDAP Settings For LDAP configuration objects (as applicable), follow the instructions on configuring LDAP as an external authentication server in Chapter 14 “Managing User Accounts” of the TMOS Management Guide for BIG-IP Systems. The default settings are acceptable for the CC evaluated configuration, with the following exceptions. Assure that the following security related settings are selected:
• Select Port 636 for SSL enabled communication
• SSL setting: Enabled
• Configure the SSL Client certificate settings to ensure the “Secure” setting is set to “enabled” (SSL required) between the system and LDAP server (the default is “disabled”).
4.7.2 RADIUS Settings The default settings for RADIUS Authentication Servers are acceptable for the CC Evaluated Configuration; however, note that using redundant RADIUS servers is preferred.
4.8 Cookie Encryption Settings If your application uses cookies that could potentially contain authentication information or allow a user to impersonate another user, it it doesn’t have any other method of seuring the information in the cookie, you should enable cookie encryption and authentication to preserve security. This is enabled in the http profile. (reference Chapter 5 (Understanding Profiles) in the Configuration Guide for BIG-IP® Local Traffic ManagerTM for details.)
Note that there are known issues with cookie encryption:
1. The period (.) character is not allowed in cookie names. Only alphanumeric characters and the special characters dash and underscore (- and _) are allowed.
2. Client cookies not able to be decrypted by the BIG-IP which have a length of 4*n (where n=[0,1,2,…]) cause the connection to be reset. Cookies of other lengths (decryptable or not) are passed through to the server.
4.9 Additional servers and settings All other servers or profiles required by the operational environment (including NTP and OCSP) may be configured with the default settings, and as appropriate for the customer environment.
4.10 Additional configuration and operational notes • tmsh Reference Guide
o The tmsh Guide incorrectly lists root as a valid user. Root access is disabled by Appliance Mode.
2009/2012 F5® Networks 29
o The tmsh Guide incorrectly states that the Administrator role has access to vi. Under Appliance Mode, this is changed and the Administrator role has access to pico, thus preventing a user from escaping the shell through the editor.
o Where the tmsh Guide does not specify the administrative-user role required to successfully execute a command, refer to the Security Target, SFR FMT_MOF, for the table of roles and the objects upon which they may operate.
o The load and save commands, if they fail, present the user with messages on the nature of the failure. If the save succeeds, you will see the list of files renamed. If the load succeeds, you will see a series of “Reading configuration from…” lines followed by “Loading the configuration” and a return to the prompt.
o References to Viprion systems in this document do not apply to the Common Criteria evaluated configuration.
• Configuration Guide for LTM o This guide specifies that configuration objects and profile must be
lowercase only, but gives examples with underscores. The note is meant to indicate that the alphabetic characters in the name must be lowercase.
• TMOS Management Guide o Page 14-2 of the TMOS Management Guide contains a note that says that
all administrative-user definitions (with the exception of the default admin) must be either local or remote. This note is incorrect; locally- and remotely-defined users can coexist on the system. For ease of management, however, you should consider defining all of your administrative-users other than the default either locally or remotely.
o Page 14-15 of the TMOS Management Guide contains a note that says that certain user names are exempt from case-sensitvity. This note is incorrect, although it is strongly recommended that you not create, in particular, a second “admin” username that is not all lower-case.
o Page 22-5 contains a note that says you must have the Administrator role to create an archive. The correct statement is that you must have the Administrator or Resource Administrator role to create an archive. (The note to that effect on page 22-4 is correct.)
• Configuration Guide for PSM o Configuring URL length checks for HTTP security violations is described
starting on page 3-8 of the Configuration Guide for PSM. That section, and the security violations listed in Appendix A, Table A2 refer to length checks (URL length being one of those). Note that the lengths being configured are those of the request component, not the entire HTTP request. For example, in the request https://160.72.19.5/http_ps.php the URL is “/http_ps.php” – 12 characters long. A URL request check value of 12 would let this request go through; a URL request check value of 11 would trigger a violation.
• GUI Help Information
2009/2012 F5® Networks 30
o The Protocol Security -> Security Profiles: HTTP -> HTTP Profile Properties (Request Check) help information for Length Checks does not specify that the checks are made on the request components of the HTTP request. See above for more details on configuring HTTP request checks.
o On the Protocol Security -> Statistics page, clicking on a violation will bring up a Violation Details Page. When the Status column contains a red “X”, the tooltip for that “X” reads “Illegal request”. This is a standard tooltip and does not reflect details about the violation. To get more information about the specific violation, click on the “View” link in the Details column.
• iRules wiki documentation o The iRules http_version command is documented incorrectly in the iRules
wiki; it documents the format of the http_version values as “HTTP/1.0” or “HTTP/1.1”. The values are actually just the numeric portion of the version: “1.0” or “1.1”. Note that http_version is provided for backward compatibility only; you should use HTTP::version, which is correctly documented, instead.
• Most management functions can be performed through either the GUI or tmsh,but some can only be configured from one or the other interface. Two examples of this are the PSM functions, which can only be configured by the GUI, and the syslog server, which can only be configured by tmsh.
• The GUI has a session timeout, but tmsh sessions do not. Administrative-users must be trained to close their sessions before leaving their workstations.
• Only the roles Administrator, Resource Administrator, User Manager, Manager, Application Editor, Operator, Guest, Web Application Security Adminstrator, Web Application Security Editor, and No Access may be assigned to users. Other roles referenced in the product documentation are defined for excluded software modules and must not be assigned in the CC evaluated configuration. In addition, because the Web Application Security Administrator and Editor roles are specifically for configuring Application Security Module objects, and that product is excluded from the TOE, it is recommended that those roles not be used in the Common Criteria evaluated configuration.
• Bigpipe Utility Command Line Interface and Bigpipe Shell (bpshell) are deprecated in this release and procedurally excluded from this evaluation. Users created for the CC evaluated configuration must not be given bpshell access, and the tmsh command “util bigpipe” must not be used.
• Logging o For detailed information on the event log records specified in the Security
Target, in which log files they reside, and how to view them, see Section 10 below.
o Audit log entries for failed login attempts include two significant values: tally and deny. Tally is the number of failed login attempts and deny is the number of attempts required for lockout. When the tally value equals or exceeds the deny value, the account is locked out. Failed attempts to login are recorded in /var/log/audit; the tally/deny log event record is recorded
2009/2012 F5® Networks 31
in /var/log/secure. (See Section 10 and Table 4: Event log files and viewing details for details on viewing these log files.)
• iRules o iRules scripts may be created and assigned to virtual servers only by
administrative-users with the Administrator, Resource Administrator, and Manager roles. Also, if created in a specific partition, iRules may only be associated with virtual servers in that partition. However, the iRules scripts themselves have access to objects from all partitions. Care must be taken when assigning role to users and when those users write iRules scripts to ensure that only the intended effect in the intended scope occurs.
o When reviewing audit logs for iRules command successes and failures, note that the command may initially log a success even though the iRules creation eventually fails. This is because iRules creation is processed in two stages. If the first stage completes successfully, it will log that success in /var/log/audit before passing control to the second stage, If the second stage fails, it will return the failure information to the GUI (or tmsh) and log the failure in /var/log/ltm. (See Section 10 and Table 4: Event log files and viewing details for details on viewing these log files.) You can connect the two log entries using the timestamp and the rule name. Depending on the amount of audit log activity on your system, these two entries may not immediately follow each other. However, using the default logging levels (enabled and Notice), they should be fairly close. Example: The administrative user attempted to create an iRule named “test2”. You can see that the first log entry returns the status “Command OK”, but the second returns “Rule error”. Note the process ID (54346) and the rule name (test2) in each entry. Sep 13 13:03:40 local/b3-1 notice mcpd[5346]: 01070417:5: AUDIT - user tmsh - transaction #8679742-2 - object 0 - modify { rule { rule_name "test2" rule_definition "sdf" } } [Status=Command OK] Sep 13 13:03:40 local/b3-1 err mcpd[5346]: 01070151:3: Rule [test2] error: line 1: [undefined procedure: sdf] [sdf]Audit logging
• If an administrative-user’s password expires, that user must either logon to tmsh if they have tmsh access, where they will be forced to change their password, or request that another qualified administrative-user change it for them. Attempting to login to the GUI will result only in a failed login.
• Interface MAC addresses vs. VLAN MAC addresses: The BIG-IP system assigns a MAC address from the pool to each interface, including the management interface and hidden interfaces. However, switch interfaces only use their assigned MAC address for L2 protocols (STP, LACP, etc.). When a VLAN is configured through the Configuration utility or from the command line, a MAC address from the pool is assigned to the VLAN. The BIG-IP system uses the MAC address of the VLAN to pass L3 or above traffic.
2009/2012 F5® Networks 32
• If unexpected errors occur during configuration, including, but not limited to the inability to sync configurations, or corruption of the ASM database (the ASM database holds PSM configuration objects), do not place the BIG-IP into production. Contact your F5 Support Contact for assistance. Only put the BIG-IP into production once you have validated the Common Criteria-evaluated configuration by reviewing your system against the configuration requirements in this document.
• SOL10737 – SSL Renegotiation vulnerability applies to the TOE. However, because the default behavior for the Renegotiation setting is “disabled”, no action is required on your part to mitigate this vulnerability. If you need to enable that setting for selected clients, refer to SOL10737 for instructions.
4.11 Synchronizing the Completed Configuration In order to maintain a secure configuration state in case of failure of one of the redundant pair, the administrative-user must issue a synchronization command (via GUI or tmsh) to synchronize configurations. This must be done before first deploying the Common Criteria configuration, and any time thereafter when configuration changes are made.
See the TMOS Management Guide for BIG-IP Systems, Chapter 20 (Configuring High Availability) “Synchronizing Configuration Data” for details.
2009/2012 F5® Networks 33
5 Appendix A: Reference Documents Note: All references listed in this Appendix are applicable to the Common Criteria Evaluated Configuration of F5 Networks BIG-IP® Local Traffic Manager Release 10.2.2 Build 763.3 with Hotfix-BIGIP-10.2.2-911.0-HF2 plus the Advanced Client Authentication and Protocol Security Modules and Appliance Mode License running on Model 11050, 8900, or 6900 redundant pair hardware platform (quantity 2)..
In some cases document names include the release numbers 10.1 or 10.2; these are the most current versions of the document and apply to the TOE.
PRODUCT DOCUMENTATION CONFIGURATION ITEMS
Description of CI Document Name Document Number and Revision
Softcopy Documents 1 Platform Guide Platform Guide: 6900 MAN-0329-
00
2 Platform Guide Platform Guide: 8900 MAN-0330-00
3 Platform Guide Platform Guide: 11050
MAN-0322-01
4 TMOS Management Guide
TMOSTM Management Guide for BIG-IP® Systems version 10.1
MAN-0294-01
5 Configuration Guide - LTM
Configuration Guide for BIG-IP® Local Traffic ManagerTM Version 10.1
MAN-0292-01
6 Getting Started Guide BIG-IP® Systems: Getting Started Guide version 10.1
MAN-0300-00
7 Configuration Guide - PSM
Configuration Guide for BIG-IP® Protocol Security Module version 10.2
MAN-0284-02
8 Tmsh Guide Traffic Management Shell (tmsh) Reference Guide version 10.2
MAN-0306-01
9 Installing hotfixes SOL10025: Managing F5 product hotfixes for BIG-IP version 10.x systems
SOL10025 Updated 08/19/2011
10 Common Criteria Common Criteria Guidance 10-2020-R-
2009/2012 F5® Networks 34
Guidance Wrapper Supplement 0039 v3.0
11 iRules iRules-10.2.zip No document number
12 iRules Details iRules Details-10.2.2.zip No document number
13 Security Vulnerability Response Policy
SOL4602 – Overview of the F5 security vulnerability response policy
SOL4602 Updated 08/16/2012
14 TCL commands disabled within iRules
SOL6319: TCL commands that have been disabled within BIG-IP 9.x iRules
SOL6319 Updated 05/07/2010
15 TCL Reference Tcl and the Tk Toolkit, Second Edition3
ISBN-13: 978-0321336330
16 SSL renegotiation vulnerability solution
SOL10737 SSL Renegotiation vulnerability
SOL10737 Updated 09/26/2012
Shipped in hardcopy form with the appliance and available in softcopy – all platforms
17 F5 Networks Terms of License and Sale
F5 Networks Terms of License and Sale
PUB-0024-04 Rev. B
18 End User Software License
End User Software License PUB-0026-09 (not listed on document)
2011-05-16
19 Support Contact flyer Support Contact flyer PUB-0093-03
20 Configuration Worksheet
Configuration Worksheet F5 BIG-IP Local Traffic Manager
PUB-0090-02
21 EU Battery Notice European Union Battery Notice
PUB-0186-01 Rev A
22 Quick Start Flyer Quick Start Flyer PUB-0228-00 (not listed on document)
23 Letter to Customer Letter to Customer No document
3 This book is not published by F5 but is publicly-available. It is included in this list for completeness, since iRules is based on Tcl and F5 does not publish a Tcl document of our own.
2009/2012 F5® Networks 35
number
Shipped in hardcopy form with the appliance and available in softcopy – 6900 platform
24 EC Declaration of Conformity
EC Declaration of Conformity (6900 and 8900 platforms)
PUB-0209-02 Rev A
25 Setting up the 6900/8900/8950 Platform
Setting up the 6900/8900/8950 Platform
MAN-0288-02
26 6900/8900/8950 Packing List
6900/8900/8950 Platform Packing List
PUB-0201-02 Rev A
27 6900/8900/8950 Hazardous Substance Table
6900/8900/8950 Platform Hazardous Substance Table
DOC-0300-01
Shipped in hardcopy form with the appliance and available in softcopy – 8900 platform
28 EC Declaration of Conformity
EC Declaration of Conformity (6900 and 8900 platforms)
PUB-0209-02 Rev A
29 Setting up the 6900/8900/8950 Platform
Setting up the 6900/8900/8950 Platform
MAN-0288-02
30 6900/8900/8950 Packing List
6900/8900/8950 Platform Packing List
PUB-0201-02 Rev A
31 6900/8900/8950 Hazardous Substance Table
6900/8900/8950 Platform Hazardous Substance Table
DOC-0300-01
Shipped in hardcopy form with the appliance and available in softcopy – 11050 platform
32 EC Declaration of Conformity
EC Declaration of Conformity (11050 platforms)
PUB-0223-02 Rev A
33 Setting Up 11000 Series Platforms
Setting Up 11000 Series Platforms
MAN-0323-02
34 11050 Packing List 11050 Platform Packing List PUB-0200-02 Rev A
35 11050 Hazardous Substance Table
11050 Platform Hazardous Substance Table
DOC-0306-00
Table 3 Product Documentation Configuration Items
2009/2012 F5® Networks 36
2009/2012 F5® Networks 37
6 Appendix B: Sample Packing Lists The following documents contain sample packing lists for the BIG-IP 6900, 8900, and 11050 appliances.
• 6900: PUB-0184-03 Rev A • 8900: PUB-0185-03 Rev A • 11050: PUB-0229-00 Rev A
2009/2012 F5® Networks 38
7 Appendix C: Tamper seal on the 6900 and 8900
2009/2012 F5® Networks 39
8 Appendix D: Tamper Seal on the 11050
2009/2012 F5® Networks 40
9 Appendix E: Cryptographic Key Support
GUI SSL / HTTPS (Also used for ConfigSync)
Traffic SSL Cookie Encryption
SSH CLI
Asymmetric
Key type / size
RSA 1024
RSA 1024, RSA 2048, RSA 4096
-- RSA 1024, DSA 1024
Generated by
Kernel RNG HW RNG -- Kernel RNG
Signing Cert self-signed
Cert self-signed Also may be signed by customer CA (the TOE generates a CSR and sends to the customer, who can send it to his CA)
-- --
Symmetric
Key type / size
Session AES 256, AES 128
Session AES 256, AES 128
AES 192 AES 256, AES 128
Generated by
Kernel RNG HW RNG PBKDF (passphrase based key derivation function)
Kernel RNG
Hash SHA-1 SHA-1 HMAC MD5 HMAC MD5, SHA-1, hmac-ripemd160, ripemd160
2009/2012 F5® Networks 41
10 Appendix F: Event Log Records
10.1 Viewing Event Log Records The easiest method for consolidating and viewing audit records in the Common Criteria-evaluated configuration is to route all logging to an external logging host. Note that, because remote encrypted logging cannot be configured under Appliance Mode, there is no way to encrypt the connection between the TOE and the remote logging host, so it is assumed that if you choose to use such a host, it, its connection to the TOE, and the TOE are all in a physically-secure environment.
If instead you will be viewing audit records while they reside on the TOE, the table below provides information on where those records can be found and viewed. Some general information to keep in mind:
• Records residing in /var/log/audit can be viewed via either the GUI (System -> Logs -> Audit) or tmsh (show /sys log audit). The command-function type events in these logs can be enabled and disabled; the system type cannot be disabled.
• Records residing in /var/log/ltm can be viewed via either the GUI (System -> Logs -> Local Traffic) or tmsh (show /sys log ltm).
• Records residing in /var/log/messages can be viewed via either the GUI (System -> Logs -> System) or tmsh (show /sys log messages).
• Records residing in /var/log/security can be viewed only from tmsh (show /sys log security)
• Records residing in /var/log/daemon.log can be viewed only from tmsh (show /sys log daemon).
• Records residing in /var/log/pktfilter can be viewed only from the GUI (System -> Logs -> Packet Filter)
• Records residing in /var/log/asm can be viewed only from the GUI (System -> Logs -> Application Security).
• Records residing in /var/log/httpd/ssl_access_log can not be viewed from the TOE. However, the only event recorded to this log is viewing the log files from the GUI. If required, the log can be copied from the TOE by an administrative-user with the scp command scp <admin-user>@<BIG-IP IP address>:/var/log/httpd/ssl_access_log ssl_access_log where <admin-user> is an administrative-user with the Administrator role, and <BIG-IP IP address> is the IP address of the BIG-IP from which you are getting the file.
• Any “view-only” operation in the GUI (view audit logs, view own user information, etc.) is only recorded as an https page view in the log /var/log/httpd/ssl_access_log.
Description Auditable Event Logfile GUI tab Tmsh log command option
Notes
2009/2012 F5® Networks 42
Local Traffic Events Log type: Local Traffic Event logs
• IP packet discard events due to exceptional circumstances or invalid parameters (such as a bad checksum)
• MCP/TMM configuration events
• Pool and node status change events
• Network events (layer 1)
• iRules script events related to run-time iRules script processing, when specified in the iRule
• General TMM events such as TMM startup, shutdown, and failover
• Tcpdump startup and shutdown
/var/log/ltm Local Traffic
ltm
FMT_SMR.1 Log Type: Audit Log (Command audit functions)
Modifications to the configured roles.
/var/log/audit Audit audit
FIA_UID.2 Log Type: Audit Log (System)
Use of the user identification mechanism.
/var/log/audit Audit audit
FIA_UAU.2 Log Type: Audit Log (System)
Use of the authentication mechanism.
/var/log/audit Audit audit
FIA_UAU.5 Log Type: Audit Log (System)
Use of the authentication mechanism
/var/log/audit Audit audit
FIA_AFL.1 Log Type: Audit Log (System)
Passing the threshold for unsuccessful authentication attempts
/var/log/secure -none- security When the threshold is passed and the account locked out,
2009/2012 F5® Networks 43
the security log contains a record that includes the number ot failed attempts (tally) and the current maximum of attempts allowed (deny). This message only appears after the (max+1) attempt to login is made, even though the account is locked when the threshold is reached.
FMT_MOF.1 Log Type: Audit Log (Command audit functions)
Use of the following functions listed in this requirement:
PSM Security Profile Management
/var/log/asm Application Security
-none-
Backup and Restore for TSF configuration data
/var/log/audit
/var/log/ltm
Audit
Local traffic
audit ltm
Event records for backup and restore are in the audit log if initiated in tmsh. An entry for beginning the config restore (install) is in the ltm for both tmsh and GUI initiation.
Enabling/Disabling of command audit functions
/var/log/audit Audit audit
Startup/Shutdown TOE operations
/var/log/messages
/var/log/audit
/var/log/ltm
System
Audit
Local traffic
messages audit
ltm
Proxy Translation Addresses configuration
/var/log/audit Audit audit
2009/2012 F5® Networks 44
(SNAT)
Query Audit Logs
/var/log/audit
/var/log/httpd/ssl_access_log
Audit
-none-
audit
-none-
Audit log viewing from tmsh is recorded in the audit log. Audit log viewing from the GUI is only recorded in /var/httpd/ssl_access_log.
Default SFP security Attributes
/var/log/audit Audit audit
Virtual Server Management
/var/log/audit Audit audit
Administrative-user account policy management (including Password Policy, Authentication Failure configuration, and Session Timeout)
/var/log/audit
/var/log/ltm
Audit
Local traffic
audit
ltm
Administrative-user account management (except changing own password)
/var/log/audit Audit audit
Change own password
/var/log/secure -none- security
View own user account information
/var/log/audit
/var/log/secure
Audit
-none-
audit
security
If viewing own account information from tmsh, the command is logged in /var/log/audit. If viewing from the GUI, the command is logged in /ver/log/secure, though it doesn’t specify the operation. Go to
2009/2012 F5® Networks 45
/var/log/httpd/ssl_access_log for the detailed event record.
Node/Pool configuration
/var/log/audit Audit audit
Protocol profile configuration
/var/log/audit Audit audit
iRules script configuration
/var/log/audit
/var/log/ltm
Audit
Local traffic
audit
ltm
Monitor /var/log/audit Audit audit
Enable/Disable Nodes and Pool Members
/var/log/audit
/var/log/ltm
Audit
Local traffic
audit
ltm
Authentication Profile configuration
/var/log/audit Audit audit
SSL Profile Configuration
/var/log/audit Audit audit
Key and Certificate management
/var/log/audit Audit audit
Syslog server configuration
/var/log/audit Audit audit
OCSP server configuration
/var/log/audit Audit audit
Memory protection configuration
/var/log/audit Audit audit
Partition Management
/var/log/audit Audit audit
FMT_SAE.1 Log Type: Audit Log (Command audit functions)
Setting of maximum duration for passwords
/var/log/audit /var/log/ltm
Audit Local traffic
audit ltm
FMT_SCR_EXP.1 Log Type: Audit Log (Command audit
Creation, Deletion of iRules scripts
/var/log/audit /var/log/ltm
Audit Local traffic
audit ltm
iRules are processed in two steps; the first step (logged in /var/log/audit
2009/2012 F5® Networks 46
functions) ) may log a “success” event record even if the command ultimately fails. The failure log record is found in /var/log/ltm at the same timestamp or very shortly (seconds) thereafter.
Application Security Events Log Type: Application Security (PSM) Logs
Events relating to implementation and triggering of Application Security Profile events related to the Protocol Security Module
/var/log/asm Application Security
-none-
Packet Filter Events Log type: Packet Filter Event Logs
Packet filter messages that result from the operation of packet filter log rules.
/var/log/pktfilter Packet Filter
-none-
System Events Log type: System Event Logs
System event messages • Audit log
warning
/var/log/daemon.log
-none- daemon
Table 4: Event log files and viewing details
10.2 Searching and Sorting Event Log Records Table 5: Log searching and sorting defines the search and sort parameters available in tmsh and the GUI, and which apply to which log views. Tmsh may be used on all log files, and the log file or a subset piped to grep for searching. There is no sort capability in tmsh. The GUI parameters for sorting are specific to each tab (log view); searching is done by a text search in the search box.
For details on searching in tmsh, review the show sys log and grep tmsh commands in the tmsh Reference Guide.
Examples:
2009/2012 F5® Networks 47
To search the aduit log for all references to user “fred” between Oct 27 and Oct 30 at 13:30:
show sys log audit range 2012-10-27—2012-10-30:13:30 | grep fred
To search the first 5 lines of the messages log for records on 10-23:
show sys log messages lines 5 | grep 10-23 Note: some event records specify the user as “user <username>”, some as “user=<username>”, and some include both. When using grep to search for records, you’ll need to take that into account unless you just search for “<username>”.
When searching or sorting using the GUI, go to the System -> Logs tab for the log in which you are interested. Click on the header for the column you wish to use to sort the log records. To search, type the search text in the search box and click “search”. Note that the text search sometimes does not find the text string; thus it is recommended that you use tmsh grep to search the log files for the most reliable results.
Table 5: Log searching and sorting
GUI
Parameter Tmsh Search4
System Packet Filter
Local Traffic
Audit Application Security
User identity (hotname / username)
grep5 Sort Search Search / Sort Search / Sort
Sort
Dates Search Sort Sort Sort Search / Sort
Sort
Times grep Sort Sort Sort Search / Sort
Sort
Addresses grep n/a Search n/a Search Search
Keyword filter grep Search Search Search Search Search
Log level grep Sort Search / Sort
Sort n/a Sort
4 Tmsh does not have a sort option for logs. 5 The tmsh show log command allows display by number of lines and by date ranges; all other searches must be done by piping the log through grep.
2009/2012 F5® Networks 48
GUI
Parameter Tmsh Search4
System Packet Filter
Local Traffic
Audit Application Security
Service Transaction #
grep n/a n/a n/a Sort n/a
Service grep Sort n/a Sort n/a Sort
Session ID grep n/a Sort n/a n/a n/a
Status code grep n/a Sort Sort n/a Sort
Event grep Search / Sort Search / Sort
Search / Sort Search / Sort
Search / Sort
2009/2012 F5® Networks 49
11 Appendix G: Alert Descriptions for Optional Email Alerts The following list contains the alerts that you may consider configuring for email alerts, with their descriptions. Note that while there are many other alerts in the alert.conf file, the rest are issued by modules not part of the Common Criteria Evaluated configuration.
Alert name Description BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH CPU temperature is too
high (generated by the kernel).
BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_LOW CPU fan is too slow (generated by the kernel).
BIGIP_SYSTEM_CHECK_E_CPU_FAN_SPEED_BAD CPU fan is bad (generated by the kernel).
BIGIP_SYSTEM_CHECK_E_CHASSIS_TEMP_HIGH Chassis temperature is too high (generated by the kernel).
BIGIP_SYSTEM_CHECK_E_CHASSIS_FAN_BAD Chassis fan is bad (generated by the kernel).
BIGIP_SYSTEM_CHECK_E_CHASSIS_POWER_BAD Chassis power supply is bad (generated by the kernel).
BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS When adding a pool member, or on a pool member reset, display the pool member status for status other than “up”.
BIGIP_MCPD_MCPDERR_POOL_MEMBER_MON_STATUS_UP When adding a pool member, or on a pool member reset, if the status is “up”, display that the pool member status is “up”.
BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS When adding a node, or on a change of node status, display the node status.
BIGIP_MCPD_MCPDERR_NODE_ADDRESS_MON_STATUS_UP When adding a node, or on a change of node status, if the status is “up”, display that the
2009/2012 F5® Networks 50
node status is “up”.
BIGIP_SOD_SODERR_SOD_STANDBY Unit is going to standby.
BIGIP_SOD_SODERR_SOD_ACTIVE Unit is going active.
BIGIP_SOD_SODERR_SOD_UNIT Displays the unit ID of the failover unit, triggered when a unit is are added or deleted.
BIGIP_HA_TABLE_HA_TABLE_ERR_FEATURE_FAILS The HA table contains a set of high availability features. When the attempt to use one of these features is not successful, this alert displays the feailing feature name and the actions that will be taken.
BIGIP_HA_TABLE_HA_TABLE_ERR_FEATURE_ONLINE High availability feature is now available.
BIGIP_FFLAG_ERR_VALIDATE The license validation failed.
BIGIP_FFLAG_ERR_LICENSE_EXPIRED The license has expired.
BIGIP_MCPD_MCPDERR_DOSSIER_ERR The license validation failed.
BIGIP_MCPD_MCPDERR_LICENSE_NOT_OPERATIONAL The license is not operational.
BIGIP_TAMD_TAMDALERT_TRAP Too many authentication failures in a defined time period.
BIGIP_DOSPROTECT_DOSPROTECT_AGGRREAPER Blocking DOS attack.
BIGIP_ARP_ARPERR_CONFLICT Address conflict detected on VLAN
BIGIP_NET_NETERR_LINK_DOWN Link is down on the specified interface.
BIGIP_DMON_ERR_DMON_ALERT Disk partition has a specified amount of space free.
BIGIP_DMON_ERR_DMON_WARN Disk partition has less than a specified amount of space free.
BIGIP_DMON_ERR_DMON_GROWTH Disk partition has
2009/2012 F5® Networks 51
exceeded a specified groeth limit..
BIGIP_AUTH_FAIL "FAILED LOGIN (.*) FROM (.*) FOR (.*), Authentication failure"
Login authentication failure.
BIGIP_SSHD_AUTH_FAIL "error: PAM: Authentication failure for (.*) from (.*)"
SSHd authentication failure.
BIGIP_GUI_AUTH_FAIL "[error](.*) AUTHCACHE PAM: user (.*) not authenticated: Authentication failure"
GUI Authentication failure.
BIGIP_IP_REJECT_CONN_LIMIT Packet rejected: connection limit reached
BIGIP_IP_REJECT_SNAT_ANYIP Packet rejected: TCP and UDP SNATs only
BIGIP_IP_REJECT_NO_MULTICAST Packet rejected: multicast forwarding disabled on VLAN group
BIGIP_IP_REJECT_CLOSED_PORT Packet rejected: closed port.
BIGIP_IP_REJECT_MAINT_MODE Packet rejected: all VIP / SNAT / Proxy connections disabled in maintenance mode
BIGIP_IP_REJECT_DST_DISABLED Packet rejected: destination VIP disabled
BIGIP_IP_REJECT_SRC_DISABLED Packet rejected: SNAT disabled
BIGIP_IP_REJECT_SSL_LICENSE Packet rejected: SSL connection limit exceeded
BIGIP_IP_REJECT_LIMIT Packet rejected: connection limit exceeded
BIGIP_IP_REJECT_NO_ROUTE Packet rejected: no return route to client.
BIGIP_DEFLATE_DEFLATEERR_LICENSE_EXCEEDED The compression licensing limits have been exceeded.
BIGIP_SSL_SSLERR_TPS SSL transaction (TPS) rate limit reached
BIGIP_SSL_SSLERR_MPS SSL bandwidth (MPS) rate limit
2009/2012 F5® Networks 52
reached"
BIGIP_BCM56XXD_BCM56XXDERR_LINKSTATUS Displays the link status for the Broadcom 56xx switch on connection between the switch and the BIG-IP.
BIGIP_SOD_SODERR_STANDBY_FAILS There is a pending failover condition, but this standby is in an error state and will not be able to go active.
BIGIP_TMM_TMMERR_INETPORT_EXHAUSTION INET port exhaustion
BIGIP_BIG3D_BIG3D_SSL_CERT_EXPIRED SSL certificate expired
BIGIP_BIG3D_BIG3D_SSL_CERT_WILL_EXPIRE SSL certificate about to expire
BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure *.?" RAID disk failure
BIGIP_SYSTEM_CHECK_E_TEMP_HIGH Temperature is too high (generated by the system_check utility).
BIGIP_SYSTEM_CHECK_E_VOLT_HIGH Voltage is too high (generated by the system_check utility).
BIGIP_SYSTEM_CHECK_E_FAN_SPEED_LOW Fan speed is too low (generated by the system_check utility).
