cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Port Lock down | Impact

RAQS
Cirrus
Cirrus

Hi All,

 

Hope your are doing great.

 

I am planning to restrict access on Self IP. Can you please help to understand the impact of port lock down when i change it from allow all to "None".

 

What things will be impacted like HA or anything and how we can prevent it. We do not have GTM . We have LTMs in HA and some are standalone.

 

Regards,

RaqS

1 ACCEPTED SOLUTION

Hi,

 

1) If i ll allow default , then what all ports will be allowed

https://support.f5.com/csp/article/K17333

 

2) If i ll use custom, then what all port should i allow

Only those needed for your scenario. If you don't have gtm and you don't administer through self IP then udp/1026 but only if you are using that self IP for the cluster.

 

3) I can for logging into GUI , CLI we are using management IP . So I consider that administration is not manage by Self IP.

Sounds right.

 

4) Please let me know how i ll identity whether Self IP is being used for cluster communication or not.

From Device Management > Devices, open the BIG-IP you are logged in (self), then from the "Device connectivity" drop down menu check the settings of the different entries to know which IPs are used.

View solution in original post

5 REPLIES 5

Setting port lockdown to none for Self IPs that are used for HA will break the cluster. However 'allow all' is very permissive and for most of the case it's not needed, you can either use 'default' or 'custom' with udp/1026.

Other things that may break is administration through ports 443 and 22 if you are administering BIG-IP through its self IP directly which is not recommended too.

If your Self IPs are not used for cluster communication or for administering BIG-IP, then using 'none' is generally the way to go

Hi Amine,

 

Thank you very much for your time and reply.

 

So please help me to understand below

 

1) If i ll allow default , then what all ports will be allowed

 

2) If i ll use custom, then what all port should i allow

 

3) I can for logging into GUI , CLI we are using management IP . So I consider that administration is not manage by Self IP.

 

4) Please let me know how i ll identity whether Self IP is being used for cluster communication or not.

 

Regards,

RAQS

Hi,

 

1) If i ll allow default , then what all ports will be allowed

https://support.f5.com/csp/article/K17333

 

2) If i ll use custom, then what all port should i allow

Only those needed for your scenario. If you don't have gtm and you don't administer through self IP then udp/1026 but only if you are using that self IP for the cluster.

 

3) I can for logging into GUI , CLI we are using management IP . So I consider that administration is not manage by Self IP.

Sounds right.

 

4) Please let me know how i ll identity whether Self IP is being used for cluster communication or not.

From Device Management > Devices, open the BIG-IP you are logged in (self), then from the "Device connectivity" drop down menu check the settings of the different entries to know which IPs are used.

Thanks Amine. I really appreciate your way to make me things understand. So in order to conclude.. I have to go to Select port lockdown as None. And in doing so i have to check whether self ip is a part of cluster communication and administration purpose or not. I checked its a not part of administrative purpose. But for cluster as you suggested i went to the path and saw self ip configured there. So this will break HA. Any way to avoid this ?

Hi,

Yes, if you set port lockdown to 'None' in a self IP used for cluster you'll break HA. In this case, you have to either select 'Default' or 'Custom' and allow udp/1026.

BTW, if you have the possibility and have free physical interfaces, you may consider connecting the two nodes with a direct connection and use it exclusively for HA,