F5 Scan Requirements
The following describes scan requirements when using F5 compliance auditing in Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus.
Plugin ID: 95388
Credentials
To use this plugin, configure the F5 credential set (Credentials > Miscellaneous).
The plugin requires a special credential set that includes the following items:
Option | Description |
---|---|
Username | (Required) The username for the scanning account on the F5 target. |
Password | (Required) The password for the scanning account on the F5 target. |
Port |
The port to use when connecting to the F5 target. The default is 443. |
HTTPS | When enabled, connects using secure communication (HTTPS). When disabled, connects using standard HTTP. The setting is enabled by default. |
Verify SSL Certificate | When enabled, the plugin verifies the SSL certificates provided by the HTTPS connection. The scan fails if the certificate is not valid. If the target uses a self-signed certificate, you must disable this setting. The setting is enabled by default. |
Configuration Gathering
Target configuration is accessed through the iControl REST API and uses JSON transformations to process data.
Permissions
The account and permissions are version dependent:
-
BIG-IP 11.5.x to 13.0.x must use the Administrator role to access the iControl REST API.
- BIG-IP 13.1.x and later, all users have access to the iControl REST API, but need the Auditor role added to the scanning account.
For more information, see the following articles in the F5 knowledge base:
- Overview of iControl permissions
- BIG-IP user account for Nessus scan tool compliance auditing
-
No authentication method for F5 compliance auditing in SecurityCenter Workaround
Offline Scanning
The plugin supports offline scanning of F5 configurations. No permissions or credentials are required for offline scanning, but the results produced will not be associated directly with any asset. Instead, the results show the configuration filename in the Hosts field.
To run an offline scan, upload the F5 configuration as a .txt file to the scan or policy.
To upload a file for offline scanning:
-
Log in to the F5 target (for example, by using SSH).
-
Run the following command:
Copytmsh -c "cd /;list all-properties recursive"
-
Copy the output to a .txt file.
-
(Optional) To analyze multiple configurations, place the files in a .zip file.
-
In the scan or policy with the F5 audit, upload the .txt or .zip file to the F5 config file(s) field.
-
Save and launch the scan or policy.
Checks
Notes
-
Enable plugin debugging to assist with API authentication, responses, and errors.
-
Once enabled, perform a scan, and check f5_compliance_check_debug.log.