filtering
4 TopicsFirewall rule re-order behaviour when using "Filter Active Rules List" to edit rules.
Hello This is my 1st post on the forum and I'm am a relative newbie to the F5 BIG-IP platform so I apologise upfront if the following question is a bit basic and has been covered somewhere else in the forum. I currently have a BIG-IP running 17.1 with a number of partitions configured on it. Each partition has it's own Network Firewall policies applied to it. I usually edit the network firewall rules by going into the policy, scrolling down the rule base, finding the rule of interest and then clicking on it's name to edit it and then applying the change. I've also noticed that I can use the "Filter Active Rules List" section, find the rule and then edit it there but when I go to apply the updated rule, the system appears to then re-order the rule base and put those edited rules at the top of the policy. I'm assuming this is expected behaviour but I'm trying to find out why the platform does this and if there is anyway of disabling this behaviour. As mentioned above I'm guessing this question has been answered somewhere else on this forum but any help on this behaviour is most appreciated. Thank you and hope you all have a great day.16Views0likes0CommentsF5 BIG-IP how to disable ICMP redirect?
I noticed that in Network -> Packet Filtering one can enable checkbox "Always accept important ICMP". However I don't really see any other option to precisely specify which ICMP types and codes should be accepted. Precisely I'd like to accept fragmentation needed messages because jumbo frames are actively used in network but I don't want ICMP redirect messages to be accepted and interpreted. So is there any way to precisely point out which ICMP types should pass packet filtering?545Views0likes0CommentsAllow downloads but not uploads from Online Storage (Google Drive)
We currently use a BIG-IP 7250 as a forward web proxy. I've had a request from high up the management chain to allow downloads a specific 3rd Parties Google Drive space, but not allow uploads. We block the "Personal Network Storage and Backup" URL Category in our standard policy. Is there a feature on the device which would allow this fine grained level of control out of the box, or would we be looking at putting in a custom iRule for this? Traffic intelligence looked promising, but I couldn't find exactly what I was looking for. Many thanks297Views0likes1CommentCan I change the default ephemeral ports that the F5 uses for health monitoring?
Currently I see that my F5 is reaching out to the servers in my server pools on low ephemeral ports for health monitoring. For example, I have a health monitor for DNS so that the F5 reaches out to the DNS servers to ensure that DNS is working properly. The source port coming from the F5 has a huge range from sometimes 7000 up to 65535. We are trying to standardize the ephemeral ports used in our datacenter to use the standard Microsoft ephemeral ports, 49152 - 65535 for ACI filtering. Can I manually change which ports the F5 uses to send requests on? I know we are currently doing this with Linux servers, so I'd like to do it with the F5s as well.1KViews0likes16Comments