Forum Discussion
Block all HTTPS traffic to F5 load balancers
Hi F5 experts
I have some questions :
Because of the iControl REST Vulnerability, we want to block all HTTPS traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers.
Running: BIG-IP 14.1.4.6 Build 0.0.8 Point Release 6.
Q1: Please confirm that there is no implicit deny as last rule; all traffic not specifically dropped/blocked, is permitted.
Q2: Please advise about the relationship/overlap/overruling between the security firewall rules and the HTTPD rules.
When the firewall rules on https traffic blocks traffic, the http-daemon allows all.
Q3: Is the example the correct way to block all API-call traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers?
So 1 HTTPS rule permitting the white-listed sources + 1 HTTPS rule blocking all others.
when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?
Thank you
- G-RobEmployee
I have documentation to help answer a few of these.
Q1: "Note: The system does not create the aforementioned deny-all rule automatically, you must explicitly create the deny-all rule as the Last in the rule list for it to block access from non-allowed sources. When configuring a deny-all rule, ensure you have a rule that allows access from your client system and appears before the deny-all rule in the rule list. Otherwise, you may lose access to the management interface on the BIG-IP system." (source)
Q2: Security firewall rules will cover any ip ranges and services listed in the rules. SSHD and HTTPD allow lists apply only to that service. I suggest reviewing this article if you haven't already: K13092: Overview of securing access to the BIG-IP system
Q3 I'll refer you to K53108777: Hardening your F5 system.
- Leslie_HubertusRet. Employee
Make a quick edit to your post to tag G-Rob to make sure he saw your follow-up. 🙂 In the future, you can do this yourself by typing @ before their username, and a dropdown should automatically pop up for you to click on .
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com