Forum Discussion
CirrostratusDisable Echo reply on virtual address
Hi,
I just started to do my first labs on BIG-IP VE, using 12.1.1. I have configured a standard virtual server for 0.0.0.0/0 on VLAN "INSIDE" directing traffic to a firewall (The firewall interface is a pool with one node in it). I noticed clients can ping any IP address and get a response, and I want to disable this behaviour. I found this: https://support.f5.com/csp/article/K16885proc3
However, the ICMP ECHO setting (and ARP) is disabled/unchecked already. It does not seem to matter what I do with the setting, I get a response from any IP I ping from the client.
How do I disable the ping response behaviour?
MandragorAltostratus
Is the VIP 0.0.0.0/0 the only VIP that would match the IP-address you are pinging? Disabling ICMP Echo in the Virtual Address menu should suffice in disabling ping replies.
Samir_Jha_52506Noctilucent
Have you followed below procedure?
* From the Configuration utility, click Local Traffic. * Navigate to Virtual Servers > Virtual Address List * Click the Virtual Address to be modified. * For the ICMP Echo setting, select Disable. Click Update
gsharriThe virtual address arp/icmp settings affect only traffic destined for the virtual address itself. It does not stop icmp traffic from flowing through the virtual server to a remote destination. You could setup packet filtering on bigip, Network>Packet Filters, to block icmp but note this will block all icmp attempts not just those for your 0.0.0.0/0 VS.
I am guessing your 0.0.0.0/0 VS Protocol setting is set to "*All Protocols". This is what is allowing the VS to process icmp. If you desire TCP/UDP only you could create two 0.0.0.0/0 VS, one for Protocol:TCP and the other for Protocol:UDP.- ecce
I solved this a while back, might as well write it here if someone else makes the mistake I did.
I did not uncheck the Address Translation checkbox in the VS. So every single IPv4 address was translated to the firewall IP. And the firewall responded to ping.
Yeah, I feel a bit stupid.