GTM working over the Internet

Question

Hello,&nbsp;
I have 2 questions about a new design of Global Load Balancing over the Internet with our BigIPs devices configured in our corporate DMZs:&nbsp;
1) my understanding is that TCP/22, TCP/443, TCP/UDP/4353 should be opened over the Internet to create a fully-meshed communication matrix among all LTMs/GTMs around the world. But is it feasible that these 3 ports are opened on any FW in the Internet?&nbsp;
2) If we open these 3 ports on our LTMs/GTMs devices, is there a ufficial hardening document on how to protect from exploit from the Internet on these ports?&nbsp;
PS: If - for whatever vulnerability - one of our BigIP is hacked to obtain root access, then among all the worst things, the BigIPs have no clear separate Management interface and an attacker could hack other devices in the inside network. Is this amajor design security flaw not to have a separate Management interface on f5 boxes? &nbsp;

hamish · Answer

I think you're possibly misinterpreting the comms. The ports should be opened ONLY between your OWN GTM's... Not other peoples.&nbsp;
These ports are used for syncing config and state between your GTM's and between your GTM's and your LTM's.&nbsp;
Any access from the outside world is port 53 (udp and tcp) only. udp/53 always, tcp/53 generally where queries or responses are too large for a 512Byte UDP response (Or zone transfers, but that doesn't necessarily mean a lot for GTM)&nbsp;
H&nbsp;

2funky_105078 · Answer

Hi H&nbsp;
So you think that i would be able to establish over the Internet TCP/22, TCP/443, TCP/UDP/4353 communications among our GTMs/LTMs  without anyone blocking me?&nbsp;
For example, if any device in between ever NAT my IP to another IP, i may fell back to open to any IP to be sure to have communcaiton working.
But still - i may be wrong - I doubt it could work for 4353 to pass via multiple countries...&nbsp;

hamish · Answer

Between your own devices in your own data centres? Why would anyone block you? (Unless you're in a country with some censoring country firewall)&nbsp;
H&nbsp;

hamish · Answer

Yes... That's correct... The internet would break otherwise if transits started to block random ports...&nbsp;
The only people who do that are some consumer orientated ISP's. 'Protecting' their clients...&nbsp;
H&nbsp;

Forum Discussion

GTM working over the Internet

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

Automating F5 Licensing - without direct internet access

SFTP VIP on CLoud F5 AWS not working from internet , from F5 its working

Protect an application exposed on Internet with F5 XC WAAP

Unbreaking the Internet and Converting Protocols

Working with MasterKeys

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS