CIS F5 Benchmark Reporter

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

The CIS_F5_Benchmark_Reporter.py is a Python script that can be run on a F5 BIG-IP. This script will check if the configuration of the F5 BIG-IP is compliant with the CIS Benchmark for F5.

The script will generate a report that can be saved to a file, send by e-mail or send its output to the screen. Just use the appropriate arguments when running the script.

[root@bigipa:Active:Standalone] # ./CIS_F5_Benchmark_Reporter.py
Usage: CIS_F5_Benchmark_Reporter.py [OPTION]...

Mandatory arguments to long options are mandatory for short options too.
  -f, --file=FILE            output report to file.
  -m, --mail                 output report to mail.
  -s, --screen               output report to screen.

Report bugs to nvansluis@gmail.com
[root@bigipa:Active:Standalone] #

To receive a daily or weekly report from your F5 BIG-IP, you can create a cron job. 

Below is a screenshot that shows what the report will look like.

 

Settings

In the script, there is a section named 'User Options'. These options should be modified to reflect your setup.

#-----------------------------------------------------------------------
# User Options - Configure as desired
#-----------------------------------------------------------------------

 

E-mail settings

Here the e-mail setting can be configured, so the script will be able to send a report by e-mail.

# e-mail settings
port = 587
smtp_server = "smtp.example.com"
sender_email = "johndoe@example.com"
receiver_email = "johndoe@example.com"
login = "johndoe"
password = "mySecret"

 

SNMP settings

Here you can add additional SNMP clients. These are necessary to be compliant with control 6.1.

# list containing trusted IP addresses and networks that have access to SNMP (control 6.1)
snmp_client_allow_list = [
    "127.0.0.0/8",
]

 

Exceptions

Sometimes there are valid circumstances, why a specific requirement of a security control can't be met. In this case you can add an exception. See the example below.

# set exceptions (add your own exceptions)
exceptions = {
    '2.1' : "Exception in place, because TACACS is used instead of RADIUS.",
    '2.2' : "Exception in place, because TACACS is used and there are two TACACS-servers present."
}

 

Recommendations

Store the script somewhere in the /shared partition. The data stored on this partition will still be available after an upgrade.

 

Feedback

This script has been tested on F5 BIG-IP version 17.x. If you have any questions, remarks or feedback, just let me know.

 

Download

The script can be downloaded from github.com.

https://github.com/nvansluis/CIS_F5_Benchmark_Reporter

Updated Nov 12, 2025
Version 6.0
security

8 Comments

    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Nov 12, 2025

      Hi Nikoolayy1​, that's good to hear. From what I see on the F5 CIS Benchmark forum, it seems that there is currently not a lot of activity for the F5 CIS Benchmark and keeping it up-to-date. However, a lot of organizations, including the one I'm working for still value compliancy with CIS Benchmark important.

  • KevinHawkins's avatar
    KevinHawkins
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2026

    Very nice! I've tried several delimiters here to no avail. What am I missing?

    receiver_email = "some@email.what"

    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Mar 17, 2026

      Hi Kevin,

      Thanks! Not sure I understand your question. Could you give some more details?

  • Joe_Negron_NYC's avatar
    Joe_Negron_NYC
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2026

    nice work - I was looking to base my solution using cisofy-lynis but this is cleaner.

    QQ: Can you please help me to understand if I need to use some extra tools/libs or anything? I am getting an error on line 321...

     

    python3 -dd CIS_F5_Benchmark_Reporter.py -m

File "CIS_F5_Benchmark_Reporter.py", line 321
def control_3_1(self)
^
SyntaxError: invalid syntax

    UPDATE: looks like a colon got lost in that proc-def on my side or during the install. The GitHub code is correct.  With that tweak on my-side, it runs on my test box with the `-s`  and/or `-f` flags. 

     

    NOTES: it might be obvious to many, but there are a few caveats that could save you from troubleshooting what look like authentication issues. I spent quite a bit of time digging into the code and then analyzing firewall & ACL log files - just to find out that the traffic never even made it to the mail server(s)..

    1. Self IPs vs. Management IP: By default, the F5 uses its Self IP (usually an untrusted port) for most local traffic. Many secure SMTP relays might only only trust the Management IP or a specific Internal/Relay IP.  In those situations, you could be required to add a route table entry to force smtp-traffic - to go out over the specific port you need... In theory: if you don't want to (or can't) change the system's routing table, you might be able to force Python (smtplib.SMTP)  to bind its outgoing connection specifically to the F5's Management IP address as a config option.

    2. Port Lockdown: Even if the routing is working exactly as expected, you may also need to ensure that the "Port Lockdown" setting on your Management IP isn't inadvertently blocking those outbound requests (though it usually only affects incoming traffic). just sayin...
    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Mar 17, 2026

      Hi Joe,

      Thanks for your feedback. Glad to hear it is working now. Have fun!

      Best regards,

           --Niels