STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to F5 BIG-IP TMOS ALG Security Technical Implementation Guide

V-266137

CAT II (Medium)

The F5 BIG-IP appliance providing user access control intermediary services must limit the "Max Sessions Per User" to one or an organization-defined number for each access profile.

Rule ID

SV-266137r1212026_rule

STIG

F5 BIG-IP TMOS ALG Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000054

Discussion

The "Max Sessions Per User" setting is crucial for maintaining session limits per individual user, preventing issues such as VDI applications disconnecting multiple users and becoming unusable for concurrent access. The default value for "Max Sessions Per User" is "0" (unlimited), so this setting must be set to implement a limit.

Check Content

If the BIG-IP appliance does not provide user access control intermediary services, this is not applicable.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Name of the Access profile.
5. Under "Settings", verify "Max Sessions per User" is set to "1" or to an organization-defined number.

If the BIG-IP appliance is not configured to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.

Fix Text

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the Name of the Access profile.
5. Under "Settings", set "Max Sessions per User" to "1" or to an organization-defined number.
6. Update.