F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

CIS F5 Benchmark Reporter

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

The CIS_F5_Benchmark_Reporter.py is a Python script that can be run on a F5 BIG-IP. This script will check if the configuration of the F5 BIG-IP is compliant with the CIS Benchmark for F5.

The script will generate a report that can be saved to a file, send by e-mail or send its output to the screen. Just use the appropriate arguments when running the script.

[root@bigipa:Active:Standalone] # ./CIS_F5_Benchmark_Reporter.py
Usage: CIS_F5_Benchmark_Reporter.py [OPTION]...

Mandatory arguments to long options are mandatory for short options too.
  -f, --file=FILE            output report to file.
  -m, --mail                 output report to mail.
  -s, --screen               output report to screen.

Report bugs to nvansluis@gmail.com
[root@bigipa:Active:Standalone] #

To receive a daily or weekly report from your F5 BIG-IP, you can create a cron job. 

Below is a screenshot that shows what the report will look like.

 

Settings

In the script, there is a section named 'User Options'. These options should be modified to reflect your setup.

#-----------------------------------------------------------------------
# User Options - Configure as desired
#-----------------------------------------------------------------------

 

E-mail settings

Here the e-mail setting can be configured, so the script will be able to send a report by e-mail.

# e-mail settings
port = 587
smtp_server = "smtp.example.com"
sender_email = "johndoe@example.com"
receiver_email = "johndoe@example.com"
login = "johndoe"
password = "mySecret"

 

SNMP settings

Here you can add additional SNMP clients. These are necessary to be compliant with control 6.1.

# list containing trusted IP addresses and networks that have access to SNMP (control 6.1)
snmp_client_allow_list = [
    "127.0.0.0/8",
]

 

Exceptions

Sometimes there are valid circumstances, why a specific requirement of a security control can't be met. In this case you can add an exception. See the example below.

# set exceptions (add your own exceptions)
exceptions = {
    '2.1' : "Exception in place, because TACACS is used instead of RADIUS.",
    '2.2' : "Exception in place, because TACACS is used and there are two TACACS-servers present."
}

 

Recommendations

Store the script somewhere in the /shared partition. The data stored on this partition will still be available after an upgrade.

 

Feedback

This script has been tested on F5 BIG-IP version 17.x. If you have any questions, remarks or feedback, just let me know.

 

Download

The script can be downloaded from github.com.

https://github.com/nvansluis/CIS_F5_Benchmark_Reporter

Updated Nov 12, 2025
Version 6.0
security

4 Comments