For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

CIS F5 Benchmark Reporter

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

The CIS_F5_Benchmark_Reporter.py is a Python script that can be run on a F5 BIG-IP. This script will check if the configuration of the F5 BIG-IP is compliant with the CIS Benchmark for F5.

The script will generate a report that can be saved to a file, send by e-mail or send its output to the screen. Just use the appropriate arguments when running the script.

[root@bigipa:Active:Standalone] # ./CIS_F5_Benchmark_Reporter.py
Usage: CIS_F5_Benchmark_Reporter.py [OPTION]...

Mandatory arguments to long options are mandatory for short options too.
  -f, --file=FILE            output report to file.
  -m, --mail                 output report to mail.
  -s, --screen               output report to screen.

Report bugs to nvansluis@gmail.com
[root@bigipa:Active:Standalone] #

To receive a daily or weekly report from your F5 BIG-IP, you can create a cron job. 

Below is a screenshot that shows what the report will look like.

 

Settings

In the script, there is a section named 'User Options'. These options should be modified to reflect your setup.

#-----------------------------------------------------------------------
# User Options - Configure as desired
#-----------------------------------------------------------------------

 

E-mail settings

Here the e-mail setting can be configured, so the script will be able to send a report by e-mail.

# e-mail settings
port = 587
smtp_server = "smtp.example.com"
sender_email = "johndoe@example.com"
receiver_email = "johndoe@example.com"
login = "johndoe"
password = "mySecret"

 

SNMP settings

Here you can add additional SNMP clients. These are necessary to be compliant with control 6.1.

# list containing trusted IP addresses and networks that have access to SNMP (control 6.1)
snmp_client_allow_list = [
    "127.0.0.0/8",
]

 

Exceptions

Sometimes there are valid circumstances, why a specific requirement of a security control can't be met. In this case you can add an exception. See the example below.

# set exceptions (add your own exceptions)
exceptions = {
    '2.1' : "Exception in place, because TACACS is used instead of RADIUS.",
    '2.2' : "Exception in place, because TACACS is used and there are two TACACS-servers present."
}

 

Recommendations

Store the script somewhere in the /shared partition. The data stored on this partition will still be available after an upgrade.

 

Feedback

This script has been tested on F5 BIG-IP version 17.x. If you have any questions, remarks or feedback, just let me know.

 

Download

The script can be downloaded from github.com.

https://github.com/nvansluis/CIS_F5_Benchmark_Reporter

Updated Nov 12, 2025
Version 6.0
security

3 Comments

    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Nov 12, 2025

      Hi Nikoolayy1​, that's good to hear. From what I see on the F5 CIS Benchmark forum, it seems that there is currently not a lot of activity for the F5 CIS Benchmark and keeping it up-to-date. However, a lot of organizations, including the one I'm working for still value compliancy with CIS Benchmark important.