port lockdown on GTM - do I have to include DNS ports?

Question

I'd like to create custom port lockdown restrictions for a GTM to allow all hosts from my enterprise network and block management connection attempts from anywhere else.  When I generate the lockdown list, do I need to explicitly whitelist DNS connections?  Or will the GTM assume that since it's job is to be a DNS server, it should allow DNS by default without it needing to be explicitly allowed?  &nbsp;
Thanks!&nbsp;

lee_sutcliffe · Answer

You'll have to specify DNS. Only ICMP is permitted by default when creating a custom port lockdown and TCP/1028, 1029-1043 if you're running an HA pair. iQuery is also an exception if configured&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html&nbsp;

gsharri · Answer

Self-IP port lockdown settings do not affect a GTM listener object. Since a listener is really just a DNS virtual server the self-ip port lockdown could be set to "none" and GTM will still process DNS requests to the listener IP.

Forum Discussion

port lockdown on GTM - do I have to include DNS ports?

2 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

SSL and Uri Rewrites

Pre & Post validation of F5 configuration

Upgrading vCMP guest

DNS topology not distributing as expected

Sizing calculation storage

Related Content

iControl 101 - #20 - Port Lockdown

Ps Self Ip Port Lockdown

Post of the Week: Port Lockdown

Maintenance page / local website that includes subfolders

"Port lockdown" option for SNAT pool addresses?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS