Protect LC & GTM by controlling ports Lock down ....heartbleed and other attakcs

Dears, As you know about the Heartbleed and other attacks like bruteforce, ddos .....we should control the port lock down of the devices self ip addresses especially for the GTM and LC external vlans which are accessible to the globe.

 

My question is about the needed traffic for each vlan and please correct me :

 

1- external vlan's : SSH : its needed one time to exchange certificates with other GTM devices. iquery: (tcp& udp) port 4353 DNS: (tcp& udp) port 53 : is it needed to be opend in the port lockdown or configuring it in the listeners in enough ?

 

2- Internal vlan: DNS: (tcp& udp) port 53 (for communication with LDNS) iquery: (tcp& udp) port 4353 (for communication with LTM's) SSH: is it needed for communication with LTM's ? SNMP : is needed

 

3- Failover vlan: UDP 1026 4- Sync vlan: (iquery) (tcp& udp) port 4353 5- connection and persistence Mirroring vlan: TCP 1028

 

I read also in the following article that ICMP and Iquery are allowed always even if its not added in the port lockdown , is this correct ? and why ICMP is needed ?

 

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html