Forum Discussion
AltostratusF5 Internal IPs Nessus Scans
I am confused. I scan my Virtual BIG-IP F5s via a NESSUS scanner. It appears the scanners scans the "MGMT" ip for both VEs. I assume the MGMT IPs are the ones on top left when you open the GUI? If that's the case what is the ACTIVE_F5_HA_Self_IP address? Is that considered the "internal" ip of the F5s? I want to set the scanner to scan the internal IP of both Virtual F5s. However when I try to scan the internal IP the scan cannot reach it and it fails. Any assistance would be appreciated.
9 Replies
- P_Kueppers
MVP
When you scan your IPs from the virtual Servers, there is only the virtual server answering. But if you scan the network/vlan and nessus is scanning the F5-Self-IP and your "port-lockdown"-Setting is not setup to "allow none" than mgmt appears on that IP. That needs to be changed.
jknock6560Ok so from my understanding - I need to change the port-lockdown setting in the GUI of the F5? Once I select allow none then when i run the scan it will scan on the internal interface instead of the mgmt ip?
- Injeyan_Kostas
Cumulonimbus
Hello,
you can see self and floatring IPs under Network Self IPs.
But as said if allow none is selcted in port-lockdown F5 will drop the request.
This is the default behaviour and you shouldn't allow anything in self ips unless specifically needed.- jknock6560
So if allowed in settings then the scan should be allowed and will scan correct? Should the setting be changed after each scan for security reasons?
- Injeyan_Kostas
Technically yes
But why mgmt interface isn't enough?
