Forum Discussion
Greg_Robinson_1
Feb 05, 2015Cirrus
I would think the security team would have more issue with you sending configuration information via plain-text HTTP than via HTTPS, even if the certificate is self-signed. Do you need to reach this F5 via the public IPs? For my publicly facing interfaces, I put the "allow-service none" parameter on the self-IPs so that the F5 doesn't allow any in-band management traffic on those interfaces. I'd consider that a best practice for any interfaces that you don't need to use for F5 management (keep in mind that config-sync/failover interfaces require the "allow-service default" so service traffic can pass between units.)
- Chase_AbbottFeb 05, 2015EmployeeAgree, I don't consider HTTP a valid option at all. Self-signed is your minimum, but any audit will flag those certs as potential issues. As for MGMT, that would "never" be part of your internal or external traffic paths.