For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Jun 20, 2017

Disable Echo reply on virtual address

Hi,

 

I just started to do my first labs on BIG-IP VE, using 12.1.1. I have configured a standard virtual server for 0.0.0.0/0 on VLAN "INSIDE" directing traffic to a firewall (The firewall interface is a pool with one node in it). I noticed clients can ping any IP address and get a response, and I want to disable this behaviour. I found this: https://support.f5.com/csp/article/K16885proc3

 

However, the ICMP ECHO setting (and ARP) is disabled/unchecked already. It does not seem to matter what I do with the setting, I get a response from any IP I ping from the client.

 

How do I disable the ping response behaviour?

 

application delivery
LTM

4 Replies

  • Mandragor's avatar
    Mandragor
    Icon for Altostratus rankAltostratus
    Jun 26, 2017

    Is the VIP 0.0.0.0/0 the only VIP that would match the IP-address you are pinging? Disabling ICMP Echo in the Virtual Address menu should suffice in disabling ping replies.

     

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Jun 26, 2017

    Have you followed below procedure?

    * From the Configuration utility, click Local Traffic.
* Navigate to Virtual Servers > Virtual Address List
* Click the Virtual Address to be modified.
* For the ICMP Echo setting, select Disable.
Click Update
  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Jun 26, 2017

    The virtual address arp/icmp settings affect only traffic destined for the virtual address itself. It does not stop icmp traffic from flowing through the virtual server to a remote destination. You could setup packet filtering on bigip, Network>Packet Filters, to block icmp but note this will block all icmp attempts not just those for your 0.0.0.0/0 VS.

     

    I am guessing your 0.0.0.0/0 VS Protocol setting is set to "*All Protocols". This is what is allowing the VS to process icmp. If you desire TCP/UDP only you could create two 0.0.0.0/0 VS, one for Protocol:TCP and the other for Protocol:UDP.

     

  • ecce's avatar
    ecce
    Icon for Cirrostratus rankCirrostratus
    Sep 15, 2017

    I solved this a while back, might as well write it here if someone else makes the mistake I did.

     

    I did not uncheck the Address Translation checkbox in the VS. So every single IPv4 address was translated to the firewall IP. And the firewall responded to ping.

     

    Yeah, I feel a bit stupid.