Managment interface is running on all interfaces?

Question

Hi all. 
&nbsp;  
&nbsp; I am a bit of F5 newbie and have setup our LB's without any training, (read tight AR$e boss) 
&nbsp; As a result I am learning as I go, so please excuse the seemingly dumb following question. 
&nbsp;  
&nbsp; I have a Pair of F5 Big IP LTM's running version 9.4.6. 
&nbsp; I just ran a pen-test of our setup and noticed that the F5's present SSH and the Web Management GUI on all physical interfaces, not just the dedicated management one. 
&nbsp; Now I have gone to a lot of trouble in locking down the dedicated management interface behind a separate firewall only to find to my horror that is it presented on every interface/ VLAN the LB is presenting.  
&nbsp; I have had a look through the GUI and can't work out how to disable it / only present it on the dedicate management interface, like I assumed it would. 
&nbsp; Does anyone have any ideas, how I can configure the F5 to do this? 
&nbsp;  
&nbsp; Cheers Red. 
&nbsp;  
&nbsp;

the_bhattman · Answer

Hi Red, 
&nbsp;   Go into into the section where you defined the self addresses and select each self address, there is a setting called PORT Lockdown(I can't remember the exact language but you will know it when you see it).  If it's already set to Allow default then it's allowing protocols and ports on each of the self-address 
&nbsp;  
&nbsp; PROTOCOL ospf 
&nbsp; PROTOCOL tcp   SERVICE 4353 (iQuery) 
&nbsp; PROTOCOL udp   SERVICE 4353 (iQuery) 
&nbsp; PROTOCOL tcp   SERVICE https (port 443) 
&nbsp; PROTOCOL tcp   SERVICE snmp (port 161) 
&nbsp; PROTOCOL udp   SERVICE snmp (port 161) 
&nbsp; PROTOCOL tcp   SERVICE ssh (port 22) 
&nbsp; PROTOCOL udp   SERVICE domain (port 53 - DNS) 
&nbsp; PROTOCOL tcp   SERVICE domain (port 53 - DNS) 
&nbsp; PROTOCOL udp   SERVICE router (port 520 - RIP) 
&nbsp; PROTOCOL udp   SERVICE 1026 (network failover) 
&nbsp;  
&nbsp; You have other settings like Allow none, Allow all and allow custom.  Allow Custom you can simply lock down port 22 and 443 and let the others through. 
&nbsp;  
&nbsp; Each self address must be locked down that way 
&nbsp;  
&nbsp; Hope this helps. 
&nbsp; CB

hoolio · Answer

Hi Red, 
&nbsp;  
&nbsp; I don't think port lockdown affects the actual 3.1 management port.  You would need to put a firewall in between the management port and any untrusted network. 
&nbsp;  
&nbsp; Aaron

luke_drury_7634 · Answer

Hi Aaron 
&nbsp; Thanks mate, yeah I have it locked down behind a separate firewall. 
&nbsp; Cheers Red

Forum Discussion

Managment interface is running on all interfaces?

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options

Application Programming Interface (API) Authentication types simplified

management interface failover

Configuring Smart Card Authentication to BIG-IP Management Interface

vCMP logical interfaces throughput

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS