Forum Discussion

Sree_87068's avatar
Sree_87068
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016

VIP listening on other ports other than defined

Have a Virtual server which is hosting traffic from internet and is hosting service port SMTP & UDP 53 . As per the vulnerability check its been found that the VIP is open also on SNMP and cpuple of...
application delivery
BIG-IP
iRules
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Apr 26, 2016

Assuming you are talking about LTM Virtual Servers, it is useful to distinguish two concepts: a Virtual IP and a Virtual Server. A Virtual IP is just that: an IP addresses for which the BIG-IP may accept traffic. A Virtual Server is a Virtual IP, a port and a protocol. A BIG-IP will reject all traffic that matches a VIP but does not match a Virtual Server -- unless you change the global setting for this, but you have to go out of your way to do that. If, on the other hand, a wildcard VS (that is, a Virtual Server listening on all ports) is defined for a VIP, naturally, traffic for any port will be accepted. Finally, if a VIP matches a self-IP, the self-IP may accept local traffic. But you should avoid this type of configuration.

 

Ordinarily you should not need an iRule or something similar to prevent traffic.

 

Sree_87068's avatar
Sree_87068
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016
Thanks for your response . Apologize for not being clear in my query . I am referring to Virtual server . Currently Virtual server is defined as VIP:25 (TCP) & VIP:53(UDP) on LTM running Ver 10.2.4 . But during the scan its been found same VIP is also accepting on VIP: 161 (TCP) & VIP: 8080 . As per my understanding the traffic must be dropped by LTM when traffic is destined to VIP on port which is not defined ..Please do correct me if i am wrong ..