cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting Management Access in BIG-IP 15.1.0

iRule
Cirrus
Cirrus

Dear Community,

 

I need to restrict management access to specific source workstation IPs using System - Platform - Security feature. The devices are in HA pair.

 

If I create a rule to allow access to management interface on TCP port 443 only from three source workstation IPs, what can be impact of this rule on HA, Failover.

 

Thanks

1 REPLY 1

crodriguez
F5 Employee
F5 Employee

It would appear that security firewall rules for the management port are synchronized between the two systems in an HA pair. (My first instinct was that they were not.) So I tested with a v15.1 HA pair by first by adding two rules to the active system in my pair, as follows:

 

0691T000009k513QAA.pngThe system immediately indicated changes were pending. (So much for my instincts!) I did a Config-sync and the rules were successfully synchronized with the standby system. Unfortunately, after the config-sync finished, I wound up being booted off my session to the management interface (from the same client) on the standby system at https://192.168.13.31. I then went back to the active system, where I was still logged on, and added a third rule to allow port 443 access to the standby system's management interface at 192.168.13.31 from my client at 192.168.4.30, and config-synced again. I could then log into the standby system once again. There does not seem to be an impact on any HA communication that is going on behind the scenes, as I added a virtual server and pool on the standby system, synced it to the active system, and it synced just fine. For good measure, I then forced a manual failover from the active to standby systems, and that also worked just fine. So, aside from need to do a Config-Sync after setting up the security firewall rules, there seems to be no impact on HA. But be careful how you set up the rules so you don't inadvertently deny yourself!

 

Here is the final config, as shown from the GUI:

0691T000009k518QAA.png...and, for good measure, from TMSH:

root@(bigip14)(cfg-sync In Sync)(Active)(/Common)(tmos)# list security firewall management-ip-rules security firewall management-ip-rules { rules { MGMT_Access { action accept ip-protocol tcp log yes rule-number 1 destination { addresses { 192.168.14.31 { } } ports { https { } } } source { addresses { 192.168.4.30 { } } } } MGMT_Access_13 { action accept ip-protocol tcp log yes rule-number 2 destination { addresses { 192.168.13.31 { } } ports { https { } } } source { addresses { 192.168.4.30 { } } } } MGMT_Deny { action reject ip-protocol tcp log yes rule-number 3 } } } (END) rule-number 2 destination { addresses { 192.168.13.31 { } } ports { https { } } } source { addresses { 192.168.4.30 { } } } } MGMT_Deny { action reject ip-protocol tcp log yes rule-number 3 } } }