| If the BIG-IP AFM module is not used to support user access control intermediary services for virtual servers, this is not applicable. |
Verify the BIG-IP AFM module is configured to only allow incoming communications from authorized sources routed to authorized destinations.
Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.
Select the applicable Virtual Servers(s) from the list to verify.
Navigate to the Security >> Policies tab.
Verify that "Network Firewall" is assigned a local Network Firewall Policy.
Verify configuration of the identified Network Firewall policy:
Navigate to the BIG-IP System manager >> Security >> Network Firewall >> Active Rules.
Select the Network Firewall policy that was assigned to the Virtual Server.
Review the configuration of the "Protocol", "Source", "Destination", and "Action" sections at a minimum to ensure that the policy is only allowing incoming communications from authorized sources enroute to authorized destinations.
If the BIG-IP AFM module is not configured to only allow incoming communications from unauthorized sources routed to unauthorized destinations, this is a finding.