The F5 BIG-IP appliance IPsec VPN must ensure inbound and outbound traffic is configured with a security policy.
An XCCDF Rule
Description
<VulnDiscussion>Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-266280r1024917_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
From the BIG-IP GUI:
1. Network.
2. IPsec.
3. IPsec Policies.
4. Click on IPsec Policy for site to site IPsec.
5. Select "ESP" in the IPsec Protocol section.