--> Port Lockdown security feature allows only specific protocols and services required on the self IP address in F5 LTM.
--> The port lockdown feature allows you to secure the F5 LTM from unwanted connection attempts by controlling the services or ports allowed on each self IP address.
--> There are some specific services which are allowed even if it is not listed in a port lockdown setting such as,
i) TCP mirroring ports: TCP Ports from 1029 to 1155
ii) Centralized Management Infrastructure port: TCP Port 4353
iii) ICMP
--> There are four port lockdown settings available in F5 LTM.
i) Allow Default
--> This setting allows access for a list of predefined protocols that are needed in order BIG IP LTM to work.
--> These are the following services allowed in the Allow Default Setting,
IGMP( Layer 2 Multicasting)
OSPF( Routing Protocol)
PIM ( Layer 3 Multicasting)
TCP 4353 (iQuery)
UDP 4353 (iQuery)
TCP 443 ( HTTPS)
TCP 161 (SNMP)
UDP 161 (SNMP)
TCP 22 (SSH)
TCP 53 (DNS)
UDP 53 (DNS)
UDP 520 (RIP)
UDP 1026
--> If you want to check the list of protocols and ports that are allowed on Allow Default Setting using CLI command,
#tmsh list net self-allow
ii) Allow All
--> This Setting allows all Protocols and ports from which connections are allowed to the self IP address on F5 LTM.
iii) Allow None
--> This Setting does not allow any Protocols and ports from which connections are allowed to the self IP address on F5 LTM.
--> But it allows ICMP protocol to the self IP address on F5 LTM.
--> This is the default setting for the port lockdown on self IP address.
iv) Allow Custom
--> This Setting allows specific protocols and ports from which connections are allowed to the self IP address on F5 LTM.
--> It allows ICMP protocol even if it is not listed in the setting to the self IP address on F5 LTM.
To Change LockDown Settings for a self IP address,
i) Login into Web GUI of F5 LTM.
ii) Navigate to Network > Self IP Address.
iii) Select the Self IP Address for which you want to modify the port lockdown setting.
iv) From the Port Lockdown setting box select the setting you want to change and click on update.
Note: For Improved security, F5 recommends allows only specific ports and protocols required for connection for a self IP address.
Ref:f5.com
MD.Kareemoddin
CCIE # 54759
--> The port lockdown feature allows you to secure the F5 LTM from unwanted connection attempts by controlling the services or ports allowed on each self IP address.
--> There are some specific services which are allowed even if it is not listed in a port lockdown setting such as,
i) TCP mirroring ports: TCP Ports from 1029 to 1155
ii) Centralized Management Infrastructure port: TCP Port 4353
iii) ICMP
--> There are four port lockdown settings available in F5 LTM.
i) Allow Default
--> This setting allows access for a list of predefined protocols that are needed in order BIG IP LTM to work.
--> These are the following services allowed in the Allow Default Setting,
IGMP( Layer 2 Multicasting)
OSPF( Routing Protocol)
PIM ( Layer 3 Multicasting)
TCP 4353 (iQuery)
UDP 4353 (iQuery)
TCP 443 ( HTTPS)
TCP 161 (SNMP)
UDP 161 (SNMP)
TCP 22 (SSH)
TCP 53 (DNS)
UDP 53 (DNS)
UDP 520 (RIP)
UDP 1026
--> If you want to check the list of protocols and ports that are allowed on Allow Default Setting using CLI command,
#tmsh list net self-allow
ii) Allow All
--> This Setting allows all Protocols and ports from which connections are allowed to the self IP address on F5 LTM.
iii) Allow None
--> This Setting does not allow any Protocols and ports from which connections are allowed to the self IP address on F5 LTM.
--> But it allows ICMP protocol to the self IP address on F5 LTM.
--> This is the default setting for the port lockdown on self IP address.
iv) Allow Custom
--> This Setting allows specific protocols and ports from which connections are allowed to the self IP address on F5 LTM.
--> It allows ICMP protocol even if it is not listed in the setting to the self IP address on F5 LTM.
To Change LockDown Settings for a self IP address,
i) Login into Web GUI of F5 LTM.
ii) Navigate to Network > Self IP Address.
iii) Select the Self IP Address for which you want to modify the port lockdown setting.
iv) From the Port Lockdown setting box select the setting you want to change and click on update.
Note: For Improved security, F5 recommends allows only specific ports and protocols required for connection for a self IP address.
Ref:f5.com
MD.Kareemoddin
CCIE # 54759
0 Comments