F5 Scan Requirements

The following describes scan requirements when using F5 compliance auditing in Tenable Vulnerability Management or Tenable Nessus.

Credentials

To use this plugin, configure the F5 credential set. (Credentials > Miscellaneous)

Option	Description
Username	(Required) Username for a scanning account on the F5 target.
Password	(Required) Password associated with the scanning account.
Port	Port to use when connecting to the F5 target. By default, uses port 443.
HTTPS	When enabled, connects using secure communication (HTTPS). When disabled, connects using standard HTTP. By default, is enabled.
Verify SSL Certificate	Verifies that the SSL certificate is valid. By default, is enabled. If the target uses a self-signed certificate, disable this setting.

Configuration Gathering

Target configuration is accessed through the iControl REST API and uses JSON transformations to process data.

Permissions

The account and permissions are version dependent:

• BIG-IP 11.5.x to 13.0.x must use the Administrator role to access the iControl REST API.

• BIG-IP 13.1.x and later, all users have access to the iControl REST API, but need the Auditor role added to the scanning account.

For more information, see the following articles in the F5 knowledge base:

• Overview of iControl permissions
• BIG-IP user account for Nessus scan tool compliance auditing

Notes

Enable plugin debugging to assist with API authentication, responses, and errors.

Once enabled, perform a scan, and check f5_compliance_check_debug.log.