Ärendetyp: 6 Diarienummer: 19FMV1178-22:1
HEMLIG/
enligt Offentlighets- och sekretesslagen
(2009:400)
2019-12-17
Country of origin: Sweden
Försvarets materielverk
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version
14.1.0
Issue: 1.0, 2019-Dec-17
Authorisation: Helén Svensson, Lead Certifier , CSEC
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
2 (21)
Table of Contents
1 Executive Summary 3
2 Identification 5
3 Security Policy 6
3.1 Security Audit 6
3.2 Cryptographic Support 6
3.3 User Data Protection 6
3.4 Identification and Authentication 6
3.5 Security Function Management 7
3.6 Protection of the TSF 7
3.7 TOE Access 7
3.8 Trusted Path / Channels 7
3.9 Firewall 7
4 Assumptions and Clarification of Scope 8
4.1 Assumptions 8
4.2 Organisational Security Policies 8
4.3 Clarification of Scope 9
5 Architectural Information 11
6 Documentation 13
7 IT Product Testing 15
7.1 Evaluator Testing 15
7.2 Penetration Testing 15
8 Evaluated Configuration 16
9 Results of the Evaluation 17
10 Evaluator Comments and Recommendations 18
11 Glossary 19
12 Bibliography 20
Appendix A Scheme Versions 21
A.1 Scheme/Quality Management System 21
A.2 Scheme Notes 21
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
3 (21)
1 Executive Summary
The Target of Evaluation (TOE) is a firewall networking device, comprised of hard-
ware and software. The TOE consists of the BIG-IP LTM+AFM Version 14.1.0.3
(build BIGIP-14.1.0.3.0.75.6-ENG, also referred to as 14.1.0.3) with any of the fol-
lowing hardware appliances installed with the LTM+AFM with application mode
software and engineering hotfix Hotfix-BIGIP-14.1.0.3.0.75.6-ENG.
Series Description
10000 Bourne 10350v-F
i5000 Shuttle i5000 (i5600, i5800, i5820-DF)
i7000 Shuttle i7000 (i7600, i7800, i7820-DF)
i10000 Shuttle i10000 (i10600, i10800)
i11000 Shuttle i11000 (i11600-DS, i11800-DS)
i15000 Shuttle i15000 (i15800, i15600-DS)
B2250 VIPRION B2250
B4450 VIPRION B4450
or installed on F5 Virtual Clustered Multiprocessing (vCMP) environment running on
any of the appliances listed above.
The TOE hardware is delivered via trusted couriers, while the software is delivered as
a downloadable ISO image from the F5 website.
The ST claims exact conformance to Collaborative Protection Profile for Stateful
Traffic Filter Firewalls (FWcPP), version 2.0 + Errata 20180314.
The NIT technical decisions that have been applied to the Network Device Collabora-
tive Protection Profile can be found in the ST.
There are six assumptions being made in the ST regarding the secure usage and envi-
ronment of the TOE. The TOE relies on these to counter the thirteen threats and com-
ply with the one organisational security policy (OSP) in the ST. The assumptions, the
threat and the OSP are described in chapter 4 Assumptions and Clarification of Scope.
The evaluation has been performed by atsec information security AB and was com-
pleted 2019-12-03. The evaluation was conducted in accordance with the requirements
of Common Criteria, version 3.1, release 5, and the Common Methodology for IT Se-
curity Evaluation, version 3.1, release 5. The evaluation meets the requirements of
evaluation assurance level EAL 1, augmented by ASE_SPD.1 Security Problem Defi-
nition and the FWcPP Evaluation Activities.
atsec information security AB is a licensed evaluation facility for Common Criteria
under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in-
formation security AB is also accredited by the Swedish accreditation body SWEDAC
according to ISO/IEC 17025 for Common Criteria evaluation.
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Security Target [ST], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy for evaluation assurance level:
EAL 1 + ASE_SPD.1 and in accordance with the FWcPP Evaluation Activities.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
4 (21)
The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other organ-
isation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
5 (21)
2 Identification
Certification Identification
Certification ID CSEC2019003
Name and version of the
certified IT product
BIG-IP LTM+AFM Version 14.1.0.3 (build BIGIP-
14.1.0.3.0.75.6-ENG, also referred to as 14.1.0.3)
and engineering hotfix Hotfix-BIGIP-
14.1.0.3.0.75.6-ENG running on any of the following
appliances or on the hypervisor vCMP, installed on
any of the following appliances:
10000, i5000, i7000, i10000, i11000, i15000, B2250,
B4450
Security Target Identification F5 BIG-IP 14.1.0 for LTM+AFM Security Target,
version 4.6
EAL EAL 1 + ASE_SPD.1 and
FWcPP v2.0+Errata 20180314
Sponsor F5 Networks Inc.
Developer F5 Networks Inc.
ITSEF atsec information security AB
Common Criteria version 3.1 release 5
CEM version 3.1 release 5
QMS version 1.23
Scheme Notes Release 14.0
Recognition Scope CCRA
Certification date 2019-12-17
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
6 (21)
3 Security Policy
The TOE provides the following security services:
 Security Audit
 Cryptography Support
 User Data Protection
 Identification and Authentication
 Security Function Management
 Protection of the TSF
 TOE Access
 Trusted Path/Channels
 Firewall
3.1 Security Audit
BIG-IP implements syslog capabilities to generate audit records for security-relevant
events. In addition, the BIG-IP protects the audit trail from unauthorized modifications
and loss of audit data due to insufficient space.
3.2 Cryptographic Support
In BIG-IP, cryptographic functionality is provided by the OpenSSL cryptographic
module. The BIG-IP provides a secure shell (SSH) to allow administrators to connect
over a dedicated network interface. BIG-IP also implements the TLS protocol to allow
administrators to remotely manage the TOE. BIG-IP implements a TLS client for in-
teractions with other TLS servers. These cryptographic implementations utilize the
cryptographic module which provides random number generation, key generation, key
establishment, key storage, key destruction, hash operations, encryption/decryption
operations, and digital signature operations.
3.3 User Data Protection
BIG-IP implements residual information protection on network packets traversing
through it. In other words, network packets traversing through the BIG-IP do not con-
tain any residual data.
3.4 Identification and Authentication
An internal password-based repository is implemented for authentication of manage-
ment users. BIG-IP enforces a strong password policy and disabling user accounts af-
ter a configured number of failed authentication attempts.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
7 (21)
3.5 Security Function Management
A command line interface (available via the traffic management shell "tmsh"), web-
based GUI ("Configuration utility"), a SOAP-based API ("iControl API"), and a
REST-based API (“iControl REST API”) are offered to administrators for all relevant
configuration of security functionality. The TOE manages configuration objects in a
partition which includes users, server pools, etc. This includes the authentication of
administrators by user name and password, as well as access control based on pre-
defined roles and, optionally, groups of objects ("Profiles"). "Profiles" can be defined
for individual servers and classes of servers that the TOE forwards traffic from clients
to, and for traffic that matches certain characteristics, determining the kind of treat-
ment applicable to that traffic. Management capabilities offered by the TOE include
the definition of templates for certain configuration options. The management func-
tionality also implements roles for separation of duties.
3.6 Protection of the TSF
BIG-IP implements many capabilities to protect the integrity and management of its
own security functionality. These capabilities include the protection of sensitive data,
such as passwords and keys, self-tests, product update verification, and reliable time
stamping.
3.7 TOE Access
Prior to interactive user authentication, the BIG-IP can display an administrative-
defined banner. BIG-IP terminates interactive sessions after an administrator-defined
period of inactivity and allows users to terminate their own authenticated session.
3.8 Trusted Path / Channels
The TOE protects remote connections to its management interfaces with TLS and
SSH. The TOE also protects communication channels with audit servers using TLS.
3.9 Firewall
The TOE offers basic firewall functionality, including stateful packet inspection and
network address translation, and logic to mitigate denial-of-service attacks.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
8 (21)
4 Assumptions and Clarification of Scope
4.1 Assumptions
The Security Target [ST] makes six assumptions on the usage and the operational en-
vironment of the TOE.
A.PHYSICAL_PROTECTION
The firewall device is assumed to be physically protected in its operational environ-
ment and not subject to physical attacks that compromise the security and/or interfere
with the firewall’s physical interconnections and correct operation. This protection is
assumed to be sufficient to protect the firewall and the data it contains. As a result, the
cPP will not include any requirements on physical tamper protection or other physical
attack mitigations. The cPP will not expect the product to defend against physical ac-
cess to the firewall that allows unauthorized entities to extract data, bypass other con-
trols, or otherwise manipulate the firewall.
A.LIMITED_FUNCTIONALITY
The firewall device is assumed to provide networking functionality as its core function
and not provide functionality/services that could be deemed as general purpose com-
puting. For example the firewall device should not provide a computing platform for
general purpose applications (unrelated to networking functionality).
A.TRUSTED_ADMINISTRATOR
The Security Administrator(s) for the firewall device are assumed to be trusted and to
act in the best interest of security for the organization. This includes being appropri-
ately trained, following policy, and adhering to guidance documentation. Administra-
tors are trusted to ensure passwords/credentials have sufficient strength and entropy
and to lack malicious intent when administering the firewall. The firewall device is not
expected to be capable of defending against a malicious Administrator that actively
works to bypass or compromise the security of the device.
A.REGULAR_UPDATES
The firewall device firmware and software is assumed to be updated by an Adminis-
trator on a regular basis in response to the release of product updates due to known
vulnerabilities.
A.ADMIN_CREDENTIALS_SECURE
The Administrator’s credentials (private key) used to access the firewall device are
protected by the platform on which they reside.
A.RESIDUAL_INFORMATION
The Administrator must ensure that there is no unauthorized access possible for sensi-
tive residual information (e.g., cryptographic keys, keying material, PINs, passwords,
etc.) on firewall equipment when the equipment is discarded or removed from its op-
erational environment.
4.2 Organisational Security Policies
The Security Target contains one Organisational Security Policies (OSPs), which have
been considered during the evaluation.
P.ACCESS_BANNER
The TOE shall display an initial banner describing restrictions of use, legal agree-
ments, or any other appropriate information to which users consent by accessing the
TOE.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
9 (21)
4.3 Clarification of Scope
The Security Target contains thirteen threats, which have been considered during the
evaluation.
T.UNAUTHORIZED_ADMINISTRATOR_ACCESS
Threat agents may attempt to gain Administrator access to the firewall by nefarious
means such as masquerading as an Administrator to the firewall, masquerading as the
firewall to an Administrator, replaying an administrative session (in its entirety, or se-
lected portions), or performing man-in-the-middle attacks, which would provide ac-
cess to the administrative session, or sessions between the firewall and a network de-
vice. Successfully gaining Administrator access allows malicious actions that com-
promise the security functionality of the firewall and the network on which it resides.
T.WEAK_CRYPTOGRAPHY
Threat agents may exploit weak cryptographic algorithms or perform a cryptographic
exhaust against the key space. Poorly chosen encryption algorithms, modes, and key
sizes will allow attackers to compromise the algorithms, or brute force exhaust the key
space and give them unauthorized access allowing them to read, manipulate and/or
control the traffic with minimal effort.
T.UNTRUSTED_COMMUNICATION_CHANNELS
Threat agents may attempt to target firewalls that do not use standardized secure tun-
neling protocols to protect the critical network traffic. Attackers may take advantage
of poorly designed protocols or poor key management to successfully perform man-in-
the-middle attacks, replay attacks, etc. Successful attacks will result in loss of confi-
dentiality and integrity of the critical network traffic, and potentially could lead to a
compromise of the firewall itself.
T.WEAK_AUTHENTICATION_ENDPOINTS
Threat agents may take advantage of secure protocols that use weak methods to au-
thenticate the endpoints – e.g., shared password that is guessable or transported as
plaintext. The consequences are the same as a poorly designed protocol, the attacker
could masquerade as the Administrator or another device, and the attacker could insert
themselves into the network stream and perform a man-in-the-middle attack. The re-
sult is the critical network traffic is exposed and there could be a loss of confidentiali-
ty and integrity, and potentially the firewall itself could be compromised.
T.UPDATE_COMPROMISE
Threat agents may attempt to provide a compromised update of the software or firm-
ware which undermines the security functionality of the device. Non-validated updates
or updates validated using non-secure or weak cryptography leave the update firm-
ware vulnerable to surreptitious alteration.
T.UNDETECTED_ACTIVITY
Threat agents may attempt to access, change, and/or modify the security functionality
of the firewall without Administrator awareness. This could result in the attacker find-
ing an avenue (e.g., misconfiguration, flaw in the product) to compromise the device
and the Administrator would have no knowledge that the device has been compro-
mised.
T.SECURITY_FUNCTIONALITY_COMPROMISE
Threat agents may compromise credentials and firewall data enabling continued ac-
cess to the firewall and its critical data. The compromise of credentials include replac-
ing existing credentials with an attacker’s credentials, modifying existing credentials,
or obtaining the Administrator or firewall credentials for use by the attacker.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
10 (21)
T.PASSWORD_CRACKING
Threat agents may be able to take advantage of weak administrative passwords to gain
privileged access to the firewall. Having privileged access to the firewall provides the
attacker unfettered access to the network traffic, and may allow them to take ad-
vantage of any trust relationships with other network devices.
T.SECURITY_FUNCTIONALITY_FAILURE
An external, unauthorized entity could make use of failed or compromised security
functionality and might therefore subsequently use or abuse security functions without
prior authentication to access, change or modify device data, critical network traffic or
security functionality of the device.
T.NETWORK_DISCLOSURE
An attacker may attempt to “map” a subnet to determine the machines that reside on
the network, and obtaining the IP addresses of machines, as well as the services (ports)
those machines are offering. This information could be used to mount attacks to those
machines via the services that are exported.
T.NETWORK_ACCESS
With knowledge of the services that are exported by machines on a subnet, an attacker
may attempt to exploit those services by mounting attacks against those services.
T.NETWORK_MISUSE
An attacker may attempt to use services that are exported by machines in a way that is
unintended by a site’s security policies. For example, an attacker might be able to use
a service to “anonymize” the attacker’s machine as they mount attacks against others.
T. MALICIOUS_TRAFFIC
An attacker may attempt to send malformed packets to a machine in hopes of causing
the network stack or services listening on UDP/TCP ports of the target machine to
crash.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
11 (21)
5 Architectural Information
The following diagram shows the basic components that comprise the TOE.
Figure 1: Architectural aspects of BIG-IP
The TOE is separated into two (2) distinct planes, the control plane and the data plane.
The control plane validates, stores, and passes configuration data to all necessary sys-
tems. It also provides all administrative access to the TOE. The data plane passes user
traffic through the TOE.
The TOE implements and supports the following network protocols: TLS (client and
server), SSH, HTTPS, FTP. The TOE protects remote connections to its management
interfaces with TLS and SSH. The TOE also protects communication channels with
audit servers using TLS (TLSv1.1 and TLSv1.2). The cryptographic functionality im-
plemented in the TOE is provided by OpenSSL.
The TOE is divided into five (5) subsystems: Appliance (hardware or virtual), Traffic
Management Operating System (TMOS), Traffic Management Micro-kernel (TMM),
Local Traffic Manager (LTM), and Advanced Firewall Manager (AFM). F5’s TMOS
is a Linux-based operating system customized for performance and to execute on the
TOE appliance hardware or in the TOE Virtual Clustered Multiprocessing (vCMP)
environment. The vCMP is a hypervisor that allows multiple instances of the TOE to
execute on the same underlying hardware. The TMM is the data plane of the product
and all data plane traffic passes through the TMM. The LTM controls network traffic
coming into or exiting the local area network (LAN) and provides the ability to inter-
cept and redirect incoming network traffic. The AFM implements stateful traffic filter-
ing on Level 2 and Level 4 network traffic packets using administrator-defined packet-
filtering rules that are based on network packet attributes.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
12 (21)
At the core of BIG-IP is a concept referred to as Traffic Management Microkernel
(TMM), representing the data plane of the product when compared to traditional net-
work device architectures. It is implemented by a daemon running with root privileg-
es, performing its own memory management, and having direct access to the network
hardware. TMM implements a number of sequential filters both for the “client-side”
and “server-side” network interfaces served by BIG-IP. The filters implemented in
TMM include a TCP, TLS, compression, and HTTP filter, amongst others. If the
hardware provides more than one CPU, TMM runs multi-threaded (one thread per
CPU). In this case, disaggregators implemented in hardware or, depending on the un-
derlying appliance, firmware, are responsible for de-multiplexing and multiplexing
network traffic for handling by an individual TMM thread. In addition to the actual
switch hardware, F5 appliance hardware also contains a High-Speed Bridge (HSB,
implemented by means of an FPGA) that performs basic traffic filtering functionality
as instructed by TMM.
Additional plug-in filters can be added to this queue by individual product packages.
These plug-ins typically have a filter component in TMM, with additional and more
complex logic in a counter-part implemented in a Linux-based daemon (module). The
plug-in modules relevant to this evaluation shown in the figure above include:
 Local Traffic Manager (LTM): authentication of HTTP (based on Apache) traffic
and advanced traffic forwarding directives
 Advanced Firewall Manager (AFM): network filtering as described in FWcPP.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
13 (21)
6 Documentation
Relevant guidance documents for the secure operation of BIG-IP that are part of the
TOE are:
 BIG-IP Common Criteria Evaluation Configuration Guide BIG-IP LTM+AFM
and BIG-IP LTM+APM Release 14.1.0
 K98644890: Common Criteria Certification for BIG-IP 14.1.0
 BIG-IP AFM: Network Firewall Policies and Implementations
 BIG-IP AFM Operations Guide
 BIG-IP Device Service Clustering: Administration
 BIG-IP Digital Certificates: Administration
 BIG-IP Engineering Hotfix README
 BIG-IP Local Traffic Manager: Implementations
 BIG-IP Local Traffic Manager: Monitors Reference
 BIG-IP Local Traffic Manager: Profiles Reference
 BIG-IP Release Note
 BIG-IP System: Essentials
 BIG-IP System: SSL Administration
 BIG-IP System: User Account Administration
 BIG-IP Systems: Getting Started Guide
 BIG-IP TMOS: Implementations
 BIG-IP TMOS: Routing Administration
 External Monitoring of BIG-IP Systems: Implementations
 GUI Help Files
 iControl SDK
 iControl REST API User Guide
 K12042624: Restricting access to the Configuration utility using client certificates
(12.x – 14.x)
 K13092: Overview of securing access to the BIG-IP system
 K13123: Managing BIG-IP product hotfixes (11.x – 15.x)
 K13302: Configuring the BIG-IP system to use an SSL chain certificate (11.x –
14.x)
 K13454: Configuring SSH public key authentication on BIP-IP systems (11.x –
14.x)
 K14620: Managing SSL Certificates for BIG-IP systems using the Configuration
utility
 K14783: Overview of the Client SSL profile (11.x – 14.x)
 K14806: Overview of the Server SSL profile (11.x – 15.x)
 K15497: Configuring a secure password policy for the BIG-IP system (11.x –
14.x)
 K15664: Overview of BIG-IP device certificates (11.x – 14.x)
 K42531434: Replacing the Configuration utility’s self-signed SSL certificate with
a CA-signed SSL certificate
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
14 (21)
 K5532: Configuring the level of information logged for TMM-specific events
 K6068: Configuring a pre-login or post-login message banner for the BIG-IP or
Enterprise Manager system
 K7683: Connecting a serial terminal to a BIG-IP system
 K7752: Licensing the BIG-IP system
 K80425458: Modifying the list of ciphers and MAC algorithms used by the SSH
service on the BIG-IP system or BIG-IQ system
 K9908: Configuring an automatic logout for idle sessions
 Platform Guide: 10000 Series
 Platform Guide: i5000/i7000/i10000/i11000 Series
 Platform Guide: i15000 Series
 Platform Guide: VIPRION® 2200
 Platform Guide: VIPRION® 4400 Series
 vCMP for Appliance Models: Administration
 vCMP for VIPRION Systems: Administration
 Traffic Management Shell (tmsh) Reference Guide (versions 14.1.0 and 12.0.01)
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
15 (21)
7 IT Product Testing
7.1 Evaluator Testing
Independent testing was performed on the TOE in the form it is delivered to custom-
ers. The evaluator has devised more than 50 test cases, including extensive testing to
test cryptographic protocols (SSH, TLS, HTTPS) as well as underlying cryptographic
operations (FCS_COP, FCS_CKM) that were also separately tested in algorithm test-
ing.
Multiple algorithm testing is required to be performed by NDcPP Supporting Docu-
ment. Multiple sets of algorithm test vectors were generated by Cryptographic Algo-
rithm Validation System (CAVS) tool to test all hardware family series.
7.2 Penetration Testing
The approach for the penetration test was to scan all TCP ports on the TOE platform
to identify all open ports. The penetration test was performed on the TOE in the evalu-
ated configuration.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
16 (21)
8 Evaluated Configuration
The following configuration specifics apply to the evaluated configuration of the
TOE:
 Appliance mode is licensed. This results in root access to the TOE operating sys-
tem and bash shell being disabled.
 Certificate validation is performed using CRLs.
 Disabled interfaces:
 All command shells other than tmsh are disabled. For example, bash and other
user-serviceable shells are excluded.
 Management of the TOE via SNMP is disabled.
 Management of the TOE via the appliance's LCD display is disabled.
 Remote (i.e., SSH) access to the Lights Out / Always On Management capabil-
ities of the system is disabled.
 SSH client
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
17 (21)
9 Results of the Evaluation
The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Basic.
The certifier reviewed the work of the evaluators and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators' overall verdict is PASS.
The verdicts for the respective assurance classes and components are summarised in
the following table:
Assurance Class/Family Short name Verdict
Development ADV PASS
Functional Specification ADV_FSP.1 PASS
Guidance Documents AGD PASS
Operational User Guidance AGD_OPE.1 PASS
Preparative Procedures AGD_PRE.1 PASS
Life-cycle Support ALC PASS
CM Capabilities ALC_CMC.1 PASS
CM Scope ALC_CMS.1 PASS
Security Target Evaluation ASE PASS
ST Introduction ASE_INT.1 PASS
Conformance Claims ASE_CCL.1 PASS
Security Problem Definition ASE_SPD.1 PASS
Security Objectives ASE_OBJ.1 PASS
Extended Components Definition ASE_ECD.1 PASS
Security Requirements ASE_REQ.1 PASS
TOE Summary Specification ASE_TSS.1 PASS
Tests ATE PASS
Independent Testing ATE_IND.1 PASS
Vulnerability Assessment AVA PASS
Vulnerability Analysis AVA_VAN.1 PASS
Evaluation Activities for FWcPP PASS
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
18 (21)
10 Evaluator Comments and Recommendations
None.
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
19 (21)
11 Glossary
CC Common Criteria
CRL Certificate Revocation List
FPGA Field-Programmable Gate Array
GUI Graphical User Interface
HSB High-Speed Bridge
LTM Local Traffic Manager
OSP Organisational Security Policy
PP Protection Profile
SOAP Simple Object Access Protocol
ST Security Target
TLS Transport Layer Security
TMM Traffic Management Microkernel
TMOS Traffic Management Operating System
TOE Target of Evaluation
TSF TOE Security Functions
vCMP Virtual Clustered Multi-Processing
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
20 (21)
12 Bibliography
ST F5 BIG-IP 14.1.0 for LTM+AFM Security Target, F5 Networks Inc.
2019-07-10 document version 4.6
ECG BIG-IP Common Criteria Evaluation Configuration Guide BIG-IP
LTM+AFM and BIG-IP LTM+APM Release 14.1.0, F5 Networks
Inc., 2019-07-01, document version 4.10
FWcPP Collaborative Protection Profile for Stateful Traffic Filter Firewalls,
2018-03-14, document version 2.0E (v2.0 + Errata 20180314)
EA-FW Evaluation Activities for Stateful Traffic Filter Firewalls cPP, 2017-
05-05, document version 2.0
EA-ND Evaluation Activities for Network Device cPP, 2018-03-14, document
version 2.0E (v2.0 + Errata 20180314)
CCpart1 Common Criteria for Information Technology Security Evaluation,
Part 1, version 3.1 revision 5, CCMB-2017-04-001
CCpart2 Common Criteria for Information Technology Security Evaluation,
Part 2, version 3.1 revision 5, CCMB-2017-04-002
CCpart3 Common Criteria for Information Technology Security Evaluation,
Part 3, version 3.1 revision 5, CCMB-2017-04-003
CC CCpart1 + CCpart2 + CCpart3
CEM Common Methodology for Information Technology Security Evalua-
tion, version 3.1 revision 5, CCMB-2017-04-004
SP-002 SP-002 Evaluation and Certification, CSEC, 2019-09-24, document
version 31.0
Swedish Certification Body for IT Security
Certification Report - F5 BIG IP LTM+AFM Version 14.1.0
19FMV1178-22:1 1.0 2019-12-17
21 (21)
Appendix A Scheme Versions
During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme has been used.
A.1 Scheme/Quality Management System
During the certification project, the following versions of the quality management sys-
tem (QMS) have been applicable since the certification application was received:
QMS 1.22 valid from 2019-02-01
QMS 1.22.1 valid from 2019-03-08
QMS 1.22.2 valid from 2019-05-02
QMS 1.22.3 valid from 2019-05-20
QMS 1.23 valid from 2019-10-14
In order to ensure consistency in the outcome of the certification, the certifier has ex-
amined the changes introduced in each update of the quality management system.
The changes between consecutive versions are outlined in “Ändringslista CSEC QMS
1.23”. The certifier concluded that, from QMS 1.22 to the current QMS 1.23, there are
no changes with impact on the result of the certification.
A.2 Scheme Notes
The following Scheme interpretations have been considered during the certification.
 Scheme Note 15 - Demonstration of test Coverage
 Scheme Note 18 - Highlighted Requirements on the Security Target
 Scheme Note 21 - NIAP PP Certifications
 Scheme Note 22 - Vulnerability assessment
 Scheme Note 23 - Evaluation reports for NIAP PPs and cPPs
 Scheme Note 25 - Use of CAVP-tests in CC evaluations