Hi Folks, Can we use management IP address to get ASM signature update ? We have F5 BIG-IP LTM & ASM in inline mode. we have default route pointing to FW DMZ interface IP address. When I am trying to update signature I can see on firewall that F5 is using external interface selp IP to connect with F5 signature update sites. Is there anyway to use management ip instead external interface selp ip address. Prompt response highly appreciate. Thanks

yes you can use the management interface, you have to add some management routes to the f5 ip. in tmsh /sys : create management-route $ip/32 gateway $mgmt-gateway-ip I did add: 65.197.145.1, 65.61.115.251, 65.61.115.202, 65.61.115.198, 65.61.115.247, 207.155.205.5

I tried but getting enclosed error.

Tabish, Does this work from the cmd line, see SOL3669 An example would be (changing whatever you felt necessary for your environment: tmsh create /sys management-route test network 207.155.205.5/255.255.255.255 gateway 192.168.111.254 N

F5 ASM Signature Update

16 Replies

nathe

Cirrocumulus

Jan 23, 2014

Tabish,

from Sol8127

Note: The BIG-IP ASM system consults Traffic Management Microkernel (TMM) and Linux routing tables when requesting attack signature updates using the Automatic Method. The source IP address of the resulting traffic uses either a non-floating self IP address or the management IP address, depending on the matching route.

So, yes looks like it's possible. You'll probably need to do a more specific route to use the mgmt int.

HTH

Torti
Cirrus
Jan 23, 2014
yes you can use the management interface, you have to add some management routes to the f5 ip. in tmsh /sys :

create management-route $ip/32 gateway $mgmt-gateway-ip

I did add: 65.197.145.1, 65.61.115.251, 65.61.115.202, 65.61.115.198, 65.61.115.247, 207.155.205.5
- nathe
  Cirrocumulus
  Jan 23, 2014
  Sorry Torti, didn't see your post so I've simply duplicated your advice. Oops.
- Torti
  Cirrus
  Jan 23, 2014
  n.p.
Torti_93733
Nimbostratus
Jan 23, 2014
yes you can use the management interface, you have to add some management routes to the f5 ip. in tmsh /sys :

create management-route $ip/32 gateway $mgmt-gateway-ip

I did add: 65.197.145.1, 65.61.115.251, 65.61.115.202, 65.61.115.198, 65.61.115.247, 207.155.205.5
- nathe
  Cirrocumulus
  Jan 23, 2014
  Sorry Torti, didn't see your post so I've simply duplicated your advice. Oops.
- Torti_93733
  Nimbostratus
  Jan 23, 2014
  n.p.
Tabish_Mirza_12
Nimbostratus
Jan 23, 2014
I tried but getting enclosed error.
nathe
Cirrocumulus
Jan 23, 2014
Tabish,

Does this work from the cmd line, see

SOL3669

An example would be (changing whatever you felt necessary for your environment:

tmsh create /sys management-route test network 207.155.205.5/255.255.255.255 gateway 192.168.111.254

N
Tabish_Mirza_12
Nimbostratus
Jan 23, 2014
Dear Torti & Nathan,

It works by above command. Many thanks indeed

Moreover, is it possible to use same management ip address to communicate with syslog server & smtp for email notification. I added the route for syslog server by using same command but firewall is showing external selp ip while bigip is communicating with syslog server.

Any idea.

Thanks

Thanks
- nathe
  Cirrocumulus
  Jan 23, 2014
  Good news
Torti
Cirrus
Jan 23, 2014
yes, you can do it with everything you want. But it is ip based, so every traffic to this destinations will go through the mgmt interface
Tabish_Mirza_12
Nimbostratus
Jan 23, 2014
it means big-ip will check first tmsh sys static route entries then it will use default route? Am i right?
Torti
Cirrus
Jan 23, 2014
it should be like with most other device. more specific routes are sort before less specific routes. default route is allways the last route.
boneyard
MVP
Feb 01, 2014
to be honest i find it odd that the F5 would first try the default route (non management) before trying management. i have a setup where ASM pulls it via the mgmt interface without a specific route for it. that would be quite annoying as the IP can change.