Block all HTTPS traffic to F5 load balancers

Question

Hi F5 expertsI have some questions :Because of the iControl REST Vulnerability, we want to block all HTTPS traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers.Running: BIG-IP 14.1.4.6 Build 0.0.8 Point Release 6.Q1: Please confirm that there is no implicit deny as last rule; all traffic not specifically dropped/blocked, is permitted.Q2: Please advise about the relationship/overlap/overruling between the security firewall rules and the HTTPD rules.When the firewall rules on https traffic blocks traffic, the http-daemon allows all.Q3: Is the example the correct way to block all API-call traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted management servers?So 1 HTTPS rule permitting the white-listed sources + 1 HTTPS rule blocking all others.when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?Thank you&nbsp;

markf5 · Answer

Hi G-Rob,
Thanks for your answer, very interesting!! However my&nbsp;&nbsp;question now&nbsp; is, when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?
&nbsp;
Thank you&nbsp;

leslie_hubertus · Answer

Make a quick edit to your post to tag G-Rob&nbsp;to make sure he saw your follow-up. 🙂 In the future, you can do this yourself by typing&nbsp;@ before their username, and a dropdown should automatically pop up for you to click on .&nbsp;

g-rob · Answer

I have documentation to help answer a few of these.
Q1: "Note: The system does not create the aforementioned deny-all rule automatically, you must explicitly create the deny-all rule as the Last in the rule list for it to block access from non-allowed sources. When configuring a deny-all rule, ensure you have a rule that allows access from your client system and appears before the deny-all rule in the rule list. Otherwise, you may lose access to the management interface on the BIG-IP system." (source)
Q2: Security firewall rules will cover any ip ranges and services listed in the rules. SSHD and HTTPD allow lists apply only to that service. I suggest reviewing this article if you haven't already:&nbsp;K13092: Overview of securing access to the BIG-IP system&nbsp;
Q3 I'll refer you to&nbsp;K53108777: Hardening your F5 system.

g-rob · Answer

Technically, restricting source IP addresses in either configuration is enough to block the service. The hierarchy of processing for management traffic would put the firewall rules enforcement before the sshd/httpd allow lists, which provides protection lower in the network stack than the daemon allow lists. So I wouldn't say that either configuration overrules the other, as a specific permit in one and a specific deny in the other will result in a failed connection. I would certainly recommend using the network firewall rules to limit management access. Adding those same IPs to the daemon allow lists would offer another layer of security.&nbsp;

Forum Discussion

Block all HTTPS traffic to F5 load balancers

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Block traffic

fellow traffic

domain blocking

Block IP after a number of ASM Blocks

Re: NGINX for Azure: Load Balancing