For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luke_Drury_7634's avatar
Luke_Drury_7634
Icon for Nimbostratus rankNimbostratus
Sep 03, 2009

Managment interface is running on all interfaces?

Hi all.

 

 

I am a bit of F5 newbie and have setup our LB's without any training, (read tight AR$e boss)

 

As a result I am learning as I go, so please excuse the seemingly dumb following question.

 

 

I have a Pair of F5 Big IP LTM's running version 9.4.6.

 

I just ran a pen-test of our setup and noticed that the F5's present SSH and the Web Management GUI on all physical interfaces, not just the dedicated management one.

 

Now I have gone to a lot of trouble in locking down the dedicated management interface behind a separate firewall only to find to my horror that is it presented on every interface/ VLAN the LB is presenting.

 

I have had a look through the GUI and can't work out how to disable it / only present it on the dedicate management interface, like I assumed it would.

 

Does anyone have any ideas, how I can configure the F5 to do this?

 

 

Cheers Red.

 

 

config
design

3 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2009
    Hi Red,

     

    Go into into the section where you defined the self addresses and select each self address, there is a setting called PORT Lockdown(I can't remember the exact language but you will know it when you see it). If it's already set to Allow default then it's allowing protocols and ports on each of the self-address

     

     

    PROTOCOL ospf

     

    PROTOCOL tcp SERVICE 4353 (iQuery)

     

    PROTOCOL udp SERVICE 4353 (iQuery)

     

    PROTOCOL tcp SERVICE https (port 443)

     

    PROTOCOL tcp SERVICE snmp (port 161)

     

    PROTOCOL udp SERVICE snmp (port 161)

     

    PROTOCOL tcp SERVICE ssh (port 22)

     

    PROTOCOL udp SERVICE domain (port 53 - DNS)

     

    PROTOCOL tcp SERVICE domain (port 53 - DNS)

     

    PROTOCOL udp SERVICE router (port 520 - RIP)

     

    PROTOCOL udp SERVICE 1026 (network failover)

     

     

    You have other settings like Allow none, Allow all and allow custom. Allow Custom you can simply lock down port 22 and 443 and let the others through.

     

     

    Each self address must be locked down that way

     

     

    Hope this helps.

     

    CB
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 08, 2009
    Hi Red,

     

     

    I don't think port lockdown affects the actual 3.1 management port. You would need to put a firewall in between the management port and any untrusted network.

     

     

    Aaron
  • Luke_Drury_7634's avatar
    Luke_Drury_7634
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2009
    Hi Aaron

     

    Thanks mate, yeah I have it locked down behind a separate firewall.

     

    Cheers Red