Forum Discussion
NimbostratusShould port 443 and 22 openfor communication between GTM and LTM. If yes then for what process it is used specifically.
we performed penetration testing on our F5 devices and found that port 443 and 22 are open on the production traffic interfaces. when checked found that the LTM devices are added on the GTM using the IP addresses of the production interfaces.
As port 443 and 22 opened on LTM production interfaces raises an operational risk we need to block these ports. but before we go ahead wanted to confirm if 443 and 22 required for any communication in between the F5 devices.
3 Replies
Mahantesh_BisurHi Vandit,
You need to open TCP port 4353 for the communication to happen between LTM and GTM.
Please refer below link for more details https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-implementations-11-4-0/2.html
Stanislas_Piro2Cumulonimbus
Hi,
As Mahantesh replied, the TCP 4353 must be opened to allow config and status synchronization.
But, bigip_add command requires SSH/SCP port opened to exchange SSL keys.
After this command is done, SSH port can be blocked.
- Domai
Altostratus
For the initial setup all 3 ports must be opened. 22, 443 and 4353. Once you finish adding other GTM and LTM's you can close 22 and 443. But you need port 4353 to be open all the time for iQuery communication between GTM's and LTM's.
