Forum Discussion
NimbostratusDisable/Block access to Network Map
I have an F5 appliance with a "big" configuration (according to F5 support engineers) and we frequently encounter the unable to contact Big-IP device message when multiple users open the Network Map and leave it open for extended periods of time. I have read through articles on how to increase resources for tomcat, java, etc. but I'm was hoping I could just disable or block access to the Network Map altogether. I looked around online and couldn't find anything on the topic. Anyone out there doing this? Whatever the solution is, the configuration utility (GUI), SSH, and rest API all still must remain available and functional. In case anyone is curious what constitutes "big" for a config, LTM object counts below.
Virtual Servers: 436
Pools: 475
Pool Members: 17,761 (really)
Nodes: 1279
For anyone else who finds this, in regards to Jmtaylor 's AI generated suggestions.
- Not an option. I cannot think of how (or why) you would apply iRules to the configuration utility.
- Not an option. The network map uses the same port configuration utility.
- Not an option. Wish it was though.
- Does not achieve my goal.
- Did this... Their suggestion (below) does achieve my goal.
tmsh edit / sys httpd all-propertiesReplace include none with the block below.
include " <LocationMatch \"/tmui/tmui/dashboard/\"> Redirect 403 / </LocationMatch> <LocationMatch /tmui/tmui/locallb/network_map/> Redirect 403 / </LocationMatch> "Save the config file by exiting vi. (ESC :wq!) and when prompted, save the config file as the tmsh prompt.
Save the config and bounce the httpd service with the code below.
tmsh save sys config tmsh restart sys service httpd
- Jmtaylor
Moderator
646576
Hello, I was able to find some options for you using some AI searches,. Here are a few potential solutions:
- Custom iRules: You can create an iRule to restrict access to the Network Map based on user roles or IP addresses. This requires some custom scripting and a good understanding of iRules and the underlying network architecture
- Firewall Rules: If the Network Map is accessed via a specific URL or port, you can create firewall rules to block access to that URL or port while allowing access to the rest of the management interface
- Role-Based Access Control (RBAC): Review your user roles and permissions.
- Configuration Utility Timeout Settings: Adjusting the timeout settings for idle sessions might help alleviate some of the resource strain caused by users leaving the Network Map open for extended periods. This won't disable the Network Map but might reduce the frequency of the issue
- Contact F5 Support: Since you've already been in touch with F5 support engineers, it might be worth asking them directly if there are any undocumented methods or advanced configurations to achieve this.
- 646576
For anyone else who finds this, in regards to Jmtaylor 's AI generated suggestions.
- Not an option. I cannot think of how (or why) you would apply iRules to the configuration utility.
- Not an option. The network map uses the same port configuration utility.
- Not an option. Wish it was though.
- Does not achieve my goal.
- Did this... Their suggestion (below) does achieve my goal.
tmsh edit / sys httpd all-propertiesReplace include none with the block below.
include " <LocationMatch \"/tmui/tmui/dashboard/\"> Redirect 403 / </LocationMatch> <LocationMatch /tmui/tmui/locallb/network_map/> Redirect 403 / </LocationMatch> "Save the config file by exiting vi. (ESC :wq!) and when prompted, save the config file as the tmsh prompt.
Save the config and bounce the httpd service with the code below.
tmsh save sys config tmsh restart sys service httpdThanks for letting us know what worked. Really interesting to see that you can edit the configuration of httpd to disable the network map 🙂
