For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MarkF5's avatar
MarkF5
Icon for Nimbostratus rankNimbostratus
Jan 11, 2023

Block all HTTPS traffic to F5 load balancers

Hi F5 experts I have some questions : Because of the iControl REST Vulnerability, we want to block all HTTPS traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted manageme...
security
G-Rob's avatar
G-Rob
Icon for Employee rankEmployee
Jan 11, 2023

I have documentation to help answer a few of these.

Q1: "Note: The system does not create the aforementioned deny-all rule automatically, you must explicitly create the deny-all rule as the Last in the rule list for it to block access from non-allowed sources. When configuring a deny-all rule, ensure you have a rule that allows access from your client system and appears before the deny-all rule in the rule list. Otherwise, you may lose access to the management interface on the BIG-IP system." (source)

Q2: Security firewall rules will cover any ip ranges and services listed in the rules. SSHD and HTTPD allow lists apply only to that service. I suggest reviewing this article if you haven't already: K13092: Overview of securing access to the BIG-IP system 

Q3 I'll refer you to K53108777: Hardening your F5 system.

  • MarkF5's avatar
    MarkF5
    Icon for Nimbostratus rankNimbostratus
    Jan 11, 2023

    Hi G-Rob,

    Thanks for your answer, very interesting!! However my  question now  is, when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?

     

    Thank you 

    • Leslie_Hubertus's avatar
      Leslie_Hubertus
      Ret. Employee
      Jan 18, 2023

      Make a quick edit to your post to tag G-Rob to make sure he saw your follow-up. 🙂 In the future, you can do this yourself by typing @ before their username, and a dropdown should automatically pop up for you to click on . 

    • G-Rob's avatar
      G-Rob
      Icon for Employee rankEmployee
      Jan 18, 2023

      Technically, restricting source IP addresses in either configuration is enough to block the service. The hierarchy of processing for management traffic would put the firewall rules enforcement before the sshd/httpd allow lists, which provides protection lower in the network stack than the daemon allow lists. So I wouldn't say that either configuration overrules the other, as a specific permit in one and a specific deny in the other will result in a failed connection. I would certainly recommend using the network firewall rules to limit management access. Adding those same IPs to the daemon allow lists would offer another layer of security.