Assess F5 BIG-IP Security with cnspec
Secure and enforce policy for F5 BIG-IP application delivery controllers
Rely on cnspec to ensure your F5 BIG-IP application delivery controllers follow recommended security and operational best practices, such as verifying SSL/TLS certificate expiration, checking NTP and DNS configuration, validating virtual server settings, and assessing network hardening.
Prerequisites
To test a BIG-IP device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the BIG-IP management interface (iControl REST API)
- Valid credentials (username and password) with administrator privileges
Give cnspec access to your BIG-IP device
To scan a BIG-IP device, cnspec connects through the iControl REST API over HTTPS (port 443 by default).
API setup instructions
Ensure the iControl REST API is accessible
The iControl REST API is enabled by default on BIG-IP devices. Verify that HTTPS management access is available from your workstation:
- Log in to the BIG-IP web interface (TMUI).
- Navigate to System > Platform to confirm the management IP address.
- Ensure the management port (default 443) is reachable from the machine running cnspec.
The account used for scanning needs at least Administrator or Resource Administrator role to read all configuration data.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell bigip --hostname DEVICE_IP --username admin --ask-passTo skip TLS certificate verification (for self-signed certificates):
cnspec shell bigip --hostname DEVICE_IP --username admin --ask-pass --insecureIf cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the BIG-IP device |
--port | iControl REST API port (default: 443) |
--username, -u | Username for authentication (default: admin) |
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--insecure, -k | Skip TLS certificate verification |
Scan BIG-IP devices
To scan a BIG-IP device, use the cnspec scan command:
cnspec scan bigip --hostname DEVICE_IP --username admin --ask-passUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your BIG-IP device:
cnspec shell bigip --hostname DEVICE_IP --username admin --ask-passBelow are some example checks you can run from the shell.
Ensure NTP servers are configured
cnspec> bigip.ntp.servers.length > 0
[ok] value: trueEnsure DNS nameservers are configured
cnspec> bigip.dns.nameServers.length > 0
[ok] value: trueEnsure no SSL certificates are expired
cnspec> bigip.certificates.where(expirationDate < time.now.unix) == []
[ok] value: []Ensure all virtual servers have a pool assigned
cnspec> bigip.virtualServers.all(pool != "")
[ok] value: trueEnsure client SSL profiles use strong ciphers
cnspec> bigip.clientSslProfiles.none(ciphers == "DEFAULT")
[ok] value: trueEnsure SNMP allowed addresses are restricted
cnspec> bigip.snmp.allowedAddresses.none(_ == "0.0.0.0/0")
[ok] value: trueLearn more
-
To learn about all the F5 BIG-IP resources and properties you can query, read the F5 BIG-IP Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about F5 BIG-IP, see the F5 BIG-IP documentation.