Bug ID 712401: Enhanced administrator lock/unlock for Common Criteria compliance

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM, APM, LTM(all modules)

Fixed In:

Opened: Mar 28, 2018

Severity: 2-Critical


The Network Device and Firewall collaborative Protection Profiles v2.0 require certain behavior for locking and unlocking administrative-user accounts on the BIG-IP system. BIG-IP software needs to be enhanced for compliance with those requirements.


Without these enhancements activated, the BIG-IP system is not compliant with Common Criteria requirements.


The ccmode script must be run to activate these enhancements. Also, see the Common Criteria Guidance document (published when the certificate is obtained) for more details.


Risk acceptance for Common Criteria non-compliance.

Fix Information

To meet Common Criteria requirements, the BIG-IP system is enhanced in two areas: 1. The primary administrative user account (generally 'admin') can be locked out, as any other administrative-user account can be. However, it is never locked out when signing in from the serial console. 2. Locked out administrative-users are unlocked only after an administrator-specified time period has passed. The default is 10 minutes, and is set in the ccmode script.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips