APM Password policy

Hi, first of all I assume this is not a question specific to APM users accessing through portal or vpn client but to big-ip local admins 

As per your screenshot, there is no reason to specify the exact number of required characters (6 3 3 2). I -personnaly- consider (1 1 1 1) to be secure enough, and I -personnaly- think what you have now is paranoia not security.

Regarding other fields, some would tell you that it is a very secure configuration, some others would not, I would tell you that it depends on your environment and this is the type of question I always forward to the CISO team to decide what has to be configured not to F5 admins nor to my -personal- feeling of what is secure or not.

Like Amine_Kadimi suggested those parameters need to be verfied by your security team and the business policy.

But looking at the numbers you have selected, for "Required Characters" look very heavy, hey i like heavy i work in security but this is a standard policy for all users so this might cause you a issue.

So you have set a 14 character min, cool. Recommendations seem to be going to 20+ characters for admins, but as a standard policy in the f5 you can't set different rules.

The point i want to make here is you have requested 
Number:6 
Upper Case: 3
Lower Case: 3
Other: 2

So this is a minimum config.
So you are asking for a something like 3D4g!g8DF5w6£0 or more characters.
In CIS, it only suggests you have 14 characters and at least 1 Upper case, 1 lower case and 1 other.
A quick google found this that might help - https://www.securden.com/blog/top-10-password-policies.html
Or look at CIS if you have the log in creds.

This doesn't mean that the password can't have more, it just means the enforcement is lower and normally you have to find a good balance with your user community. If this isn't a issue then you should be fine.

My other question, is when you say IT-Admin is this a internal group for RBAC or are you talking about the default "admin" account as these parameters do not affect that account as its a break glass account if nothing else.

I normally use a password manager and set a 32 character password with everything thrown at it for that account!
(And the root one)

1- how can I send expiration notifications?
I personally don't use expiration notifications, i use the f5 to enforce a password update.
You can do this on the day or give them a certain amount of days to bypass the password change before its enforced.  The only thing being is that i do this with AD (its controlled using the AD Query) i don't know if that functionality is avaiable when using the local user database. JRahm is there someone who can answer this?

Getting the f5 to manage the change is quick, and ensures its done and people don't miss notificaitions before the account is locked.

2- If the user did not see the notification, the expiration period is finished and the user is locked, how user can change the password?

Using a password update feature may be best for you here, as long as they know their previous password it should work nicely for you.

3- if the user is locked, is another admin can unlock this user? if yes, is the user must change the password after unlock, or maybe user's last password?

I've done this using AD, so clicking the box in the user on AD for "user changes password at next logon" triggers the f5 to enforce a password update. Very nice and clean. If its using the internal user DB i don't know hopefully Jason can find someone for you to help.

Hope this helps.