Forum Discussion
InquisitiveMai
May 29, 2024Cirrostratus
Deny access to F5 management from specific addresses
Trying to figure out if there is a way to deny a specific address when a subnet is allowed under System--> Platform--> SSH IP allow 172.16/16, but I want to deny specific addresses ex:172.16.20.21 ...
- Jun 01, 2024
- So from my understanding the Security rules are hit first before anything else, so if you allow SSH through the security rule but then deny it under SSH then it will ultimately be denied. If you created a deny in the security rule and then an allow in SSH this would still be blocked because security rules are hit first. It is best practice to restrict in both areas if you use the security rules in addition to things such as SNMP and SSH. If it can be helped I would only have a restriction in the protocol specific location unless some compliance rule forces you to use both.
- If you are looking at restricting management access you would put the management IP of the BIG-IP. Keep in mind that these security rules sync between HA appliances so your rule on unit 0 would need its management IP and the management IP of the unit 1 as the destination. You always want to be as specific as your can, so if you have source IP, destination IP, port, and protocol then put it all in.
- Yes, if you put the allow for IPs that are part of a subnet and you set your default action as drop then you shouldn't have to put in a deny. I put in a deny because I like to have a hit count for specific traffic that I want to block and then I can go later and figure out why those blocked IPs are even trying to reach the BIG-IP in the first place. I would enable logging on your denies but probably not your allows. Some compliance rules require you to log everything but unless forced I would only log the denies.
Paulius
MVP
- So from my understanding the Security rules are hit first before anything else, so if you allow SSH through the security rule but then deny it under SSH then it will ultimately be denied. If you created a deny in the security rule and then an allow in SSH this would still be blocked because security rules are hit first. It is best practice to restrict in both areas if you use the security rules in addition to things such as SNMP and SSH. If it can be helped I would only have a restriction in the protocol specific location unless some compliance rule forces you to use both.
- If you are looking at restricting management access you would put the management IP of the BIG-IP. Keep in mind that these security rules sync between HA appliances so your rule on unit 0 would need its management IP and the management IP of the unit 1 as the destination. You always want to be as specific as your can, so if you have source IP, destination IP, port, and protocol then put it all in.
- Yes, if you put the allow for IPs that are part of a subnet and you set your default action as drop then you shouldn't have to put in a deny. I put in a deny because I like to have a hit count for specific traffic that I want to block and then I can go later and figure out why those blocked IPs are even trying to reach the BIG-IP in the first place. I would enable logging on your denies but probably not your allows. Some compliance rules require you to log everything but unless forced I would only log the denies.
InquisitiveMai
Jun 06, 2024Cirrostratus
I am going to test it and update here. Thank you for your help Paulius
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects