For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Nov 14, 2016

default Health check port ranges & how exclude using some port

Hi

 

In LTM 11.5.4, I want to know BIGIP`s healch check port ranges, when configure default TCP monitor.

 

cause of my client`s security policy, port 4444 is blocked in L3. and can not change it.

 

how can I exclude 4444 port not to using healch check source port?

 

application delivery
LTM
security

2 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 14, 2016

    The default TCP monitor will check the TCP port configured on the pool member. For example, if you have pool member 1.1.1.1:80, TCP monitor will check port 80 on that IP address (1.1.1.1).

     

    If you want to check some other port for the same pool member: 1.1.1.1:80, you would have to change the "Alias Service Port" option within the TCP monitor from "*" to 8080, if you want to monitor port 8080 for the pool member 1.1.1.1:80 instead of default 80.

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Nov 14, 2016

    As Odaah said, should be high ports (1024-65535). I could't find any way to change that, neither via monitor or db keys for bigd.

     

    However, if you disable port reuse for bigd, the monitor should fail only once (when uses the blocked port). As the default monitor settings (and F5 recommendation even if you change), is to have 3 fails before the member is marked down, it should not mark the pool member down.

     

    Solution about socket reuse:

     

    https://support.f5.com/kb/en-us/solutions/public/13000/800/sol13820.html