Forum Discussion
Bill_Callahan_8
Nimbostratus
NimbostratusBig-IP Local Traffic Self-ips for internet facing addresses
Is there a particular reason why I would not set the Self-IP on an interface for the Internet to deny all traffic? For any virtual servers, I am using separate IP addresses. Mostly, my concern is about allowing SSL and SSH access from the internet into the F5. Seems to make sense, but I have not been able to locate a definitive best practice. Seems like other than Self-IPs that I want to Manage through, I would want to block pretty much everything.
- The_BhattmanI use the self addresses for management rather then the management interfaces for several reasons. However, I faced the same issue way in the past about how to protect the self-addresses from the internet. We basically used the firewall to protect it. Others have put in a ACL on the LTm on who can directly access the management interfaces.
I am not sure if there is a best practice but I think default ALLOW is something that shouldn't be used if you want security.
CB - Chris_Miller
Altostratus
I use the self-IPs for a backup for config-sync/fail-over stuff. I did, however; modify the default list to block http, https, and ssh. - The_BhattmanSince I have extra unused ports on the LTM I also dedicated ports and plug them in directly, using a private addressing scheme for the config-sync.
CB 
lipos_54863I use "Port Lockdown" on the outside interfaces to solve the problem.
For syncing - separate ports/VLAN.
Management port for management.
