F5 BIG-IP Scan Requirements

The following describes scan requirements when using F5 compliance auditing in Tenable Vulnerability Management, Tenable Security Center, or Tenable Nessus.

Plugin ID: 95388

Credentials

To use this plugin, configure the F5 credential set (Credentials > Miscellaneous).

The plugin requires a special credential set that includes the following items:

Option	Description
Username	(Required) The username for the scanning account on the F5 target.
Password	(Required) The password for the scanning account on the F5 target.
Port	The port to use when connecting to the F5 target. The default is 443.
HTTPS	When enabled, connects using secure communication (HTTPS). When disabled, connects using standard HTTP. The setting is enabled by default.
Verify SSL Certificate	When enabled, the plugin verifies the SSL certificates provided by the HTTPS connection. The scan fails if the certificate is not valid. If the target uses a self-signed certificate, you must disable this setting. The setting is enabled by default.

Configuration Gathering

Target configuration is accessed through the iControl REST API and uses JSON transformations to process data.

Permissions

The account and permissions are version dependent:

• BIG-IP 11.5.x to 13.0.x must use the Administrator role to access the iControl REST API.

• BIG-IP 13.1.x and later, all users have access to the iControl REST API, but need the Auditor role added to the scanning account.

For more information, see the following articles in the F5 knowledge base:

• Overview of iControl permissions
• BIG-IP user account for Nessus scan tool compliance auditing

Offline Scanning

The plugin supports offline scanning of F5 configurations. No permissions or credentials are required for offline scanning, but the results produced will not be associated directly with any asset. Instead, the results show the configuration filename in the Hosts field.

To run an offline scan, upload the F5 configuration as a .txt file to the scan or policy.

To upload a file for offline scanning:

1. Log in to the F5 target (for example, by using SSH).

2. Run the following command:

   Copy

   tmsh -c "cd /;list all-properties recursive"

3. Copy the output to a .txt file.

4. (Optional) To analyze multiple configurations, place the files in a .zip file.

5. In the scan or policy with the F5 audit, upload the .txt or .zip file to the F5 config file(s) field.

6. Save and launch the scan or policy.

Checks

• Check Type

• Custom Items

• OFFLINE_CONFIG_CHECK

• OFFLINE_BANNER_CHECK

Notes

• Enable plugin debugging to assist with API authentication, responses, and errors.

• Once enabled, perform a scan, and check f5_compliance_check_debug.log.