Forum Discussion

Bastien_8356's avatar
Bastien_8356
Icon for Nimbostratus rankNimbostratus
Feb 21, 2011

Enable/disable Management UI from command line

Hi,

 

 

I have my F5s that are publicly accessible from the https and i'd like to enable/disable the Management GUI from the command line for more security.

 

So whenever I need to have access to GUI, I'll enable it from ssh.

 

 

I read about the Lockdown option (where I can manually Deny HTTPS for a self-ip), but how to do it in ssh ? Can I just simply stop httpd ?

 

 

Thanks !

 

config
design
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 21, 2011
    "bigpipe self help" should show you the syntax you need.

     

     

    "bigpipe self 1.1.1.1 allow none" would block everything. otherwise, you need "protocol/port"
  • Bastien_8356's avatar
    Bastien_8356
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2011
    In fact, there are 2 public IP addesses, the second one is the floating.

     

     

    I'm afraid I'm gonna break something if I allow none.

     

    So I'll have configure manually on both self-ip services listed here https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html and then, just remove/add the allow the 443 when needed, correct ?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 21, 2011
    What are you using your public IPs for? Are they default gateways for anything? Are you using them for config sync or mirroring?
  • Bastien_8356's avatar
    Bastien_8356
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2011
    We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.

     

     

    The config sync is on a different network, but one of our network failover unicast are using the public IP.

     

     

    We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)

     

     

    I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 21, 2011
    Posted By Bastien on 02/21/2011 12:58 PM

     

    We have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.

     

     

    The config sync is on a different network, but one of our network failover unicast are using the public IP.

     

     

    We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)

     

     

    I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.

     

    http://support.f5.com/kb/en-us/prod...821011358

     

     

     

    The self-IP is being used as the gateway but is not the destination for your traffic. As an example, are you currently doing allow all or allow default? If you're allowing default, port 80 isn't allowed.

     

  • Bastien_8356's avatar
    Bastien_8356
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2011
    Allow default, so I should custon the lockdown to the exact same protocols by default except for the HTTPS, on both self-ip and floating, then as soon as I need the GUI, I connect with ssh and do a 'b self xxxx allow https add' and then same thing with delete, correct ?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 24, 2011
    It looks like you can't be set as using defaults if you want to remove HTTPS via "b self 1.1.1.1 allow tcp 443 delete"

    So, I wonder if the best way isn't to manually edit the config file.

    In bigip_base.conf, your self IP likely looks like this: 

    
net self 1.1.1.1/24 {
    allow-service default
    vlan internal
}

    The best thing to do might be to change it to this and then load the config file: 

    
net self 1.1.1.1/24 {
    allow-service {
        ospf:any
        tcp:161
        tcp:22
        tcp:4353
        tcp:53
        udp:1026
        udp:161
        udp:4353
        udp:520
        udp:53
    }
    vlan internal
}
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2011
    I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:

     

     

    b self 192.168.44.11 {allow none}

     

    b self 192.168.44.11 {allow default}

     

    b self 192.168.44.11 {allow all}

     

     

    This changes the config running in memory. You'd want to save the config to file using 'b base save'.

     

     

    I haven't tested to see how to specify individual services, but I think it should be possible.

     

     

    Aaron
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 24, 2011
    Posted By hoolio on 02/24/2011 09:19 AM

     

    I think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:

     

     

    b self 192.168.44.11 {allow none}

     

    b self 192.168.44.11 {allow default}

     

    b self 192.168.44.11 {allow all}

     

     

    This changes the config running in memory. You'd want to save the config to file using 'b base save'.

     

     

    I haven't tested to see how to specify individual services, but I think it should be possible.

     

     

    Aaron

     

    I copied and pasted my actual bigip_base.conf syntax.

     

     

    If he's currently using allow default, he can't add or remove anything without changing that first. Not sure why, but I got an error when trying.