Log Bypass for BIG-IP Monitor Traffic

Monitors are a part of just about any infrastructure that needs to be highly available. BIG-IP has a whole host of different monitoring options for keeping tabs on servers. It's important for your BI...
Published May 01, 2012
Version 1.0
management
news
tech tip
George_Watkins_'s avatar
George_Watkins_
Historic F5 Account
May 03, 2012
In theory yes, but that would require someone to somehow be aware of this

 

monitoring string. If you are worried about this scenario, it is very easy

 

to block external requests with this User-Agent with an iRule:

 

 

when HTTP_REQUEST {

 

log local0. "[IP::client_addr]:[TCP::client_port]: User-Agent: [string

 

tolower [HTTP::header "User-Agent"]] requested [HTTP::host][HTTP::uri]"

 

 

if { [string tolower [HTTP::header "User-Agent"]] contains "F5 BIG-IP

 

Monitor"} {

 

log local0. "[IP::client_addr]:[TCP::client_port]: Rejected

 

request"

 

reject

 

}

 

}

 

 

You can also add this logic to the Apache server config. Since you've already set an environment variable for the monitoring User-Agent we can reuse that to enforce access. You'll want to locate the VirtualHost's Allow and Deny directives and change the order and parameters to block external monitoring requests:

 

 

Order Deny,Allow

 

Deny from env=monitor

 

set subnet or addresses of BIG-IP self-IPs

 

allow from 10.40.0.0/16

 

 

Great question. Hope that helps!