Forum Discussion

Nimbostratus

Jan 11, 2023

Block all HTTPS traffic to F5 load balancers

Hi F5 experts I have some questions : Because of the iControl REST Vulnerability, we want to block all HTTPS traffic to F5 loadbalancers, except for whitelisted API servers and whitelisted manageme...

security

MarkF5

Nimbostratus

Hi G-Rob,

Thanks for your answer, very interesting!! However my question now is, when we use firewall rule for BIG-IP management, will that overrule the sys HTTPD configuration? If so, is it then better to use firewall rule for BIG-IP management in stead off sys HTTPD?

Thank you

G-Rob

Employee

Jan 18, 2023

Technically, restricting source IP addresses in either configuration is enough to block the service. The hierarchy of processing for management traffic would put the firewall rules enforcement before the sshd/httpd allow lists, which provides protection lower in the network stack than the daemon allow lists. So I wouldn't say that either configuration overrules the other, as a specific permit in one and a specific deny in the other will result in a failed connection. I would certainly recommend using the network firewall rules to limit management access. Adding those same IPs to the daemon allow lists would offer another layer of security.

Forum Discussion

Block all HTTPS traffic to F5 load balancers

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Block traffic

fellow traffic

domain blocking

Block IP after a number of ASM Blocks

Re: NGINX for Azure: Load Balancing