F5 Scan Requirements

The following describes scan requirements when using F5 compliance auditing in Tenable.io or Nessus.

Credentials

To use this plugin, configure the F5 credential set. (CredentialsMiscellaneous)

Option Description
Username (Required) Username for a scanning account on the F5 target.
Password (Required) Password associated with the scanning account.
Port

Port to use when connecting to the F5 target. By default, uses port 443.

HTTPS When enabled, connects using secure communication (HTTPS). When disabled, connects using standard HTTP. By default, is enabled.
Verify SSL Certificate Verifies that the SSL certificate is valid. By default, is enabled. If the target uses a self-signed certificate, disable this setting.

Configuration Gathering

Target configuration is accessed through the iControl REST API and uses JSON transformations to process data.

Permissions

The account and permissions are version dependent:

  • BIG-IP 11.5.x to 13.0.x must use the Administrator role to access the iControl REST API.

  • BIG-IP 13.1.x and later, all users have access to the iControl REST API, but need the Auditor role added to the scanning account.

For more information, see the following articles in the F5 knowledge base:

Notes

Enable plugin debugging to assist with API authentication, responses, and errors.

Once enabled, perform a scan, and check f5_compliance_check_debug.log.