Forum Discussion
Bastien_8356
Nimbostratus
NimbostratusEnable/disable Management UI from command line
Hi,
I have my F5s that are publicly accessible from the https and i'd like to enable/disable the Management GUI from the command line for more security.
So whenever I need to have access to GUI, I'll enable it from ssh.
I read about the Lockdown option (where I can manually Deny HTTPS for a self-ip), but how to do it in ssh ? Can I just simply stop httpd ?
Thanks !
10 Replies
- Chris_Miller
Altostratus
"bigpipe self help" should show you the syntax you need.
"bigpipe self 1.1.1.1 allow none" would block everything. otherwise, you need "protocol/port" 
Bastien_8356In fact, there are 2 public IP addesses, the second one is the floating.
I'm afraid I'm gonna break something if I allow none.
So I'll have configure manually on both self-ip services listed here https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html and then, just remove/add the allow the 443 when needed, correct ?- Chris_MillerWhat are you using your public IPs for? Are they default gateways for anything? Are you using them for config sync or mirroring?
- Bastien_8356We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.
The config sync is on a different network, but one of our network failover unicast are using the public IP.
We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)
I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443. - Chris_MillerPosted By Bastien on 02/21/2011 12:58 PM
We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.
The config sync is on a different network, but one of our network failover unicast are using the public IP.
We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)
I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.http://support.f5.com/kb/en-us/prod...821011358
The self-IP is being used as the gateway but is not the destination for your traffic. As an example, are you currently doing allow all or allow default? If you're allowing default, port 80 isn't allowed.
- Bastien_8356Allow default, so I should custon the lockdown to the exact same protocols by default except for the HTTPS, on both self-ip and floating, then as soon as I need the GUI, I connect with ssh and do a 'b self xxxx allow https add' and then same thing with delete, correct ?
- Chris_MillerI'm bookmarking this so I can test it on my own units tomorrow.
- Chris_MillerIt looks like you can't be set as using defaults if you want to remove HTTPS via "b self 1.1.1.1 allow tcp 443 delete"
So, I wonder if the best way isn't to manually edit the config file.
In bigip_base.conf, your self IP likely looks like this:net self 1.1.1.1/24 { allow-service default vlan internal }
The best thing to do might be to change it to this and then load the config file:net self 1.1.1.1/24 { allow-service { ospf:any tcp:161 tcp:22 tcp:4353 tcp:53 udp:1026 udp:161 udp:4353 udp:520 udp:53 } vlan internal } 
hoolioCirrostratus
I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:
b self 192.168.44.11 {allow none}
b self 192.168.44.11 {allow default}
b self 192.168.44.11 {allow all}
This changes the config running in memory. You'd want to save the config to file using 'b base save'.
I haven't tested to see how to specify individual services, but I think it should be possible.
Aaron- Chris_MillerPosted By hoolio on 02/24/2011 09:19 AM
I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:
b self 192.168.44.11 {allow none}
b self 192.168.44.11 {allow default}
b self 192.168.44.11 {allow all}
This changes the config running in memory. You'd want to save the config to file using 'b base save'.
I haven't tested to see how to specify individual services, but I think it should be possible.
Aaron
I copied and pasted my actual bigip_base.conf syntax.If he's currently using allow default, he can't add or remove anything without changing that first. Not sure why, but I got an error when trying.
