I am currently working on making our F5s STIG compliant. My F5 HA pair is currently on v14. I am looking for the following within the F5 Web GUI:
Verify that "Application Security" is Enabled under "General Configuration".
"Source IP-Based Client Side Integrity Defense"
"URL-Based Client Side Integrity Defense"
"Site-wide" Client-Side Integrity Defense"
"Source IP-Base Rate Limiting"
"URL-Based Rate Limiting"
"Site-wide Rate Limiting"
The issue I am coming across is that the location of these settings (per the STIG rules) is based on F5 version 11.
Security ›› DoS Protection : DoS Profiles ›› <profile name>
Application Security ›› Behavioral & Stress-based (D)DoS Detection
›› TPS-based DoS Detection
Drill into the sections to see things like Client-Side Integrity Defense options