cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Problem this snippet solves:

A Self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN group. Self IP addresses serve two purposes. First, when sending a message to a destination server, the BIG-IP system uses the self IP addresses of its VLANs to determine the specific VLAN in which a destination server resides. Second, a self IP address serves as the default route for each destination server in the corresponding VLAN. In this case, the self IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system.

Each self IP address has a feature known as port lockdown. Port lockdown is a security feature that allows you to specify particular UDP and TCP protocols and services from which the self IP address can accept traffic. This application illustrates how how to use the iControl API to manage Port Lockdown Access Lists.

Code :

#----------------------------------------------------------------------------
# The contents of this file are subject to the "END USER LICENSE AGREEMENT FOR F5
# Software Development Kit for iControl"; you may not use this file except in
# compliance with the License. The License is included in the iControl
# Software Development Kit.
#
# Software distributed under the License is distributed on an "AS IS"
# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
# the License for the specific language governing rights and limitations
# under the License.
#
# The Original Code is iControl Code and related documentation
# distributed by F5.
#
# The Initial Developer of the Original Code is F5 Networks,
# Inc. Seattle, WA, USA. Portions created by F5 are Copyright (C) 1996-2009 F5 Networks,
# Inc. All Rights Reserved.  iControl (TM) is a registered trademark of F5 Networks, Inc.
#
# Alternatively, the contents of this file may be used under the terms
# of the GNU General Public License (the "GPL"), in which case the
# provisions of GPL are applicable instead of those above.  If you wish
# to allow use of your version of this file only under the terms of the
# GPL and not to allow others to use your version of this file under the
# License, indicate your decision by deleting the provisions above and
# replace them with the notice and other provisions required by the GPL.
# If you do not delete the provisions above, a recipient may use your
# version of this file under either the License or the GPL.
#----------------------------------------------------------------------------
param (
  $g_bigip = $null,
  $g_uid = $null,
  $g_pwd = $null,
  $g_cmd = $null,
  $g_selfip = $null,
  $g_arg1 = $null,
  $g_arg2 = $null,
  $g_arg3 = $null,
  $g_arg4 = $null
);

Set-PSDebug -strict;

#-------------------------------------------------------------------------
# function Write-Usage
#-------------------------------------------------------------------------
function Write-Usage()
{
  Write-Host @"
Usage: SelfIPPortLockdown.ps1 host uid pwd [options]
  options
  -------
  list
     - Get a list of Self IPs
  getaccesslist 
     - Gets the access lists for the specified self IP.
  addaccesslist    
     - Adds the list of access methods, with optional
       protocols/ports, for the specified self IP.
  deleteaccesslist    
     - Deletes protocols and ports from the allow access list
       for the specified self IP.
  getdefaccesslist
     - Gets the default protocol/port access list on which
       access is allowed.
  adddefaccesslist  
     - Adds to the default list of protocols/ports
      on which access is allowed.
  removedefaccesslist  
     - Remove protocols and ports from the default list
       of protocols/ports on which access is allowed.
"@;
  exit;
}

#-------------------------------------------------------------------------
# Get-SelfIPList
#-------------------------------------------------------------------------
function Get-SelfIPList()
{
  $ip_list = (Get-F5.iControl).NetworkingSelfIP.get_list();
  Write-Host "Available SelfIPs:";
  foreach ($ip in $ip_list)
  {
    Write-Host "  $ip";
  }
}

#-------------------------------------------------------------------------
# function Get-AccessList
#-------------------------------------------------------------------------
function Get-AccessList()
{
  param([string]$selfip = $null);
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $SelfIPAccessA = $pld.get_allow_access_list( (,$selfip) );
  foreach ($SelfIPAccess in $SelfIPAccessA)
  {
  Write-Host "--------------------------------";
  Write-Host "Self IP        : " $SelfIPAccess.self_ip;
Write-Host "Mode           : " $SelfIPAccess.mode;
Write-Host "Protocol Ports : ";
$pA = $SelfIPAccess.protocol_ports;
foreach ($ProtocolPort in $pA)
{
Write-Host "      Protocol : " $ProtocolPort.protocol;
Write-Host "          Port : " $ProtocolPort.port;
}
  }
}

#-------------------------------------------------------------------------
# function Add-AccessList
#-------------------------------------------------------------------------
function Add-AccessList()
{
  param(
  [string]$selfip = $null, 
[string]$mode = "ALLOW_MODE_NONE", 
[string]$protocol = "PROTOCOL_ANY", 
[int]$port = 0);
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $SelfIPAccess = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownSelfIPAccess;
  $SelfIPAccess.self_ip = $selfip;
  $SelfIPAccess.mode = $mode;
  $SelfIPAccess.protocol_ports = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownProtocolPort;
  $(${SelfIPAccess}.protocol_ports).protocol = $protocol;
  $(${SelfIPAccess}.protocol_ports).port = $port;
  
  $pld.add_allow_access_list( (,$SelfIPAccess) );
  Get-AccessList $selfip;
}

#-------------------------------------------------------------------------
# function Delete-AccessList
#-------------------------------------------------------------------------
function Delete-AccessList()
{
 param(
  [string]$selfip = $null, 
[string]$mode = "ALLOW_MODE_NONE", 
[string]$protocol = "PROTOCOL_ANY", 
[int]$port = 0);
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $SelfIPAccess = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownSelfIPAccess;
  $SelfIPAccess.self_ip = $selfip;
  $SelfIPAccess.mode = $mode;
  $SelfIPAccess.protocol_ports = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownProtocolPort;
  $(${SelfIPAccess}.protocol_ports).protocol = $protocol;
  $(${SelfIPAccess}.protocol_ports).port = $port;
  
  $pld.delete_allow_access_list( (,$SelfIPAccess) );
  Get-AccessList $selfip;
}

#-------------------------------------------------------------------------
# function Get-DefaultAccessList
#-------------------------------------------------------------------------
function Get-DefaultAccessList()
{
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $ProtocolPortA = $pld.get_default_protocol_port_access_list();
  if ( $ProtocolPortA.Length )
  {
foreach ($ProtocolPort in $ProtocolPortA)
{
Write-Host "--------------------------------";
Write-Host "Protocol : " $ProtocolPort.protocol;
Write-Host "    Port : " $ProtocolPort.port;
}
  }
  else
  {
    Write-Host "No default Protocol Port Access Lists defined";
  }
}

#-------------------------------------------------------------------------
# function Add-DefaultAccessList
#-------------------------------------------------------------------------
function Add-DefaultAccessList()
{
  param([string]$protocol = "PROTOCOL_ANY", [int]$port = 0);
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $protocol_port = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownProtocolPort;
  $protocol_port.protocol = $protocol;
  $protocol_port.port = $port;
  $pld.add_default_protocol_port_access_list( (,$protocol_port) );
  Get-DefaultAccessList;
}

#-------------------------------------------------------------------------
# function Remove-DefaultAccessList
#-------------------------------------------------------------------------
function Remove-DefaultAccessList()
{
  param([string]$protocol = "PROTOCOL_ANY", [int]$port = 0);
  $pld = (Get-F5.iControl).NetworkingSelfIPPortLockdown;
  $protocol_port = New-Object -TypeName iControl.NetworkingSelfIPPortLockdownProtocolPort;
  $protocol_port.protocol = $protocol;
  $protocol_port.port = $port;
  $pld.remove_default_protocol_port_access_list( (,$protocol_port) );
  Get-DefaultAccessList;
}

#-------------------------------------------------------------------------
# Do-Initialize
#-------------------------------------------------------------------------
function Do-Initialize()
{
  if ( (Get-PSSnapin | Where-Object { $_.Name -eq "iControlSnapIn"}) -eq $null )
  {
    Add-PSSnapIn iControlSnapIn
  }
  $success = Initialize-F5.iControl -HostName $g_bigip -Username $g_uid -Password $g_pwd;
  
  return $success;
}

#-------------------------------------------------------------------------
# Main Application Logic
#-------------------------------------------------------------------------
if ( ($g_bigip -eq $null) -or ($g_uid -eq $null) -or ($g_pwd -eq $null) )
{
  Write-Usage;
}

if ( Do-Initialize )
{
  switch ($g_cmd)
  {
    "" {
      Get-SelfIPList;
    }
    "getaccesslist" {
      Get-AccessList $g_selfip;
    }
    "addaccesslist" {
      Add-AccessList $g_selfip $g_arg1 $g_arg2 $g_arg3 $g_arg4;
    }
    "deleteaccesslist" {
      Delete-AccessList $g_selfip;
    }
    "getdefaccesslist" {
      Get-DefaultAccessList $g_selfip;
    }
    "adddefaccesslist" {
      Add-DefaultAccessList $g_selfip $g_arg1 $g_arg2;
    }
    "removedefaccesslist" {
      Remove-DefaultAccessList $g_selfip $g_arg1 $g_arg2;
    }
    default {
      Write-Usage;
    }
    
  }
}
else
{
  Write-Error "ERROR: iControl subsystem not initialized"
}
Version history
Last update:
‎09-Mar-2015 12:08
Updated by:
Contributors