Forum Discussion
Bastien_8356
Nimbostratus
Feb 21, 2011Enable/disable Management UI from command line
Hi,
I have my F5s that are publicly accessible from the https and i'd like to enable/disable the Management GUI from the command line for more security.
So whenever I need to have access to GUI, I'll enable it from ssh.
I read about the Lockdown option (where I can manually Deny HTTPS for a self-ip), but how to do it in ssh ? Can I just simply stop httpd ?
Thanks !
- Chris_Miller
Altostratus
"bigpipe self help" should show you the syntax you need. - Bastien_8356
Nimbostratus
In fact, there are 2 public IP addesses, the second one is the floating. - Chris_Miller
Altostratus
What are you using your public IPs for? Are they default gateways for anything? Are you using them for config sync or mirroring? - Bastien_8356
Nimbostratus
We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one. - Chris_Miller
Altostratus
Posted By Bastien on 02/21/2011 12:58 PMhttp://support.f5.com/kb/en-us/prod...821011358
The self-IP is being used as the gateway but is not the destination for your traffic. As an example, are you currently doing allow all or allow default? If you're allowing default, port 80 isn't allowed.
- Bastien_8356
Nimbostratus
Allow default, so I should custon the lockdown to the exact same protocols by default except for the HTTPS, on both self-ip and floating, then as soon as I need the GUI, I connect with ssh and do a 'b self xxxx allow https add' and then same thing with delete, correct ? - Chris_Miller
Altostratus
I'm bookmarking this so I can test it on my own units tomorrow. - Chris_Miller
Altostratus
It looks like you can't be set as using defaults if you want to remove HTTPS via "b self 1.1.1.1 allow tcp 443 delete"net self 1.1.1.1/24 { allow-service default vlan internal }
net self 1.1.1.1/24 { allow-service { ospf:any tcp:161 tcp:22 tcp:4353 tcp:53 udp:1026 udp:161 udp:4353 udp:520 udp:53 } vlan internal }
- hoolio
Cirrostratus
I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this: - Chris_Miller
Altostratus
Posted By hoolio on 02/24/2011 09:19 AMIf he's currently using allow default, he can't add or remove anything without changing that first. Not sure why, but I got an error when trying.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects