Forum Discussion

Cirrus

Jan 23, 2023

Delete Management Default Route?

Hi, I have two bigip v16 running in HA (active/standby), and for security reasons i decided to remove management route default gateway and instead add static route for my management network. my ser...

application delivery

Paulius
Jan 23, 2023
レザ If you currently have a default route configured for the management interface on the F5 this had to have been added into the configuration because by default the management interface only knows about the network that it resides in. As others have stated, if you remove the default gateway from the management interface routing table everything will not leave through the selfIPs of the F5 except for any routes that you add using the following command in tmsh. This command is based on your servers are in a 10.10.10.0/24 network and your management interface of the F5 is in 10.10.9.0/24 and the gateway for that network is 10.10.9.1.

create sys management-route route_1 network 10.10.10.0/24 gateway 10.10.9.1

Anything that wants to reach the management interface IP you will have to add one of these routes so that the management interface knows how to reach that destination. Also keep in mind that now you will have to look at 2 routing tables when troubleshooting why traffic isn't working on the routed path being the selfIP interfaces. I would recommend adding in /32 routes as often as possible to the management routing table in order to avoid the issue previously described. You cannot have traffic leaving the management interface and the other routed interfaces for the same destination without causing issues. Make sure that the traffic communicating to the management interface will indeed only talk to that interface of the F5. Make sure you have a way to configure these devices locally if for some reason you lose network access to these devices as well as the credentials for the local users on the devices.

Mohamed_Ahmed_Kansoh

MVP

Jan 23, 2023

Hi レザ ,

Exactly as mihaic said.

I want to add a point :

> Moving the default route to TMM tasks will not impact the performance but you may have to change the status of port lockdown from ( allow none to allow default or specifying some specific ports ) to integrate with some devices for instance monitoring tools which need to collect some statistics from your F5 device, also by removing the management default route , your device will have to use its self ips to get its updates from internet.

So both of opening port lockdown and internet access throughout self ips are a security breaches.

> Moving default route to tmm Is not recommended , but If you have to do this try to specify specific ports in your self ips also use a forward proxy to categorize internet access traffic from f5 and restrict your firewall policies for f5 self ips when accessing internet.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Delete Management Default Route?

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Deleting an AS3 Tenant

Using iControl REST API to manage F5 BIG-IP Advanced Firewall Manager (AFM)

Prepare BIG-IP Central Manager for Automation

Manage F5 BIG-IP FAST with Terraform (Intro)

Automate NetApp ONTAP Storage Management with Private and Secure API Governance

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS