Block all HTTPS traffic to F5 load balancers
Hi F5 experts
I have some questions :
Because of the iControl REST Vulnerability, we want to block all HTTPS traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers.
Running: BIG-IP 14.1.4.6 Build 0.0.8 Point Release 6.
Q1: Please confirm that there is no implicit deny as last rule; all traffic not specifically dropped/blocked, is permitted.
Q2: Please advise about the relationship/overlap/overruling between the security firewall rules and the HTTPD rules.
When the firewall rules on https traffic blocks traffic, the http-daemon allows all.
Q3: Is the example the correct way to block all API-call traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers?
So 1 HTTPS rule permitting the white-listed sources + 1 HTTPS rule blocking all others.
when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?
Thank you