Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Allowing access to activate.f5.com through a firewall for ASM signature updates

Can the IP address of activate.f5.com change? A customer of mine allows their ASM to access the site by IP address in their firewall for signature updates, but a couple of months ago the address changed.

Does anyone know if this is a regular occurrence, or can I reasonably rely on the current address remaining the same? If not, does anyone know what the possible addresses are?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'll check with IT on activate.f5.com and callhome.f5.com and get back to you. I assume we're using multiple carriers and/or dynamically resolving the hostnames via GTM but will let you know. Hopefully we can provide a full list of all possible IPs and an idea of whether/how frequently they could change.

I'd suggest you consider scripting an update though to the ACL based on the current resolution of the hostnames if that's something your firewall can accommodate.

Edit: I have a ticket open with IT. I'll let you know what I get back.

Aaron

1
Comments on this Answer
Comment made 21-Aug-2013 by uni 1155
Any news Aaron? The address has gone back to the previous one (manual failback perhaps, prompted by your query :P)
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

mhh, interesting. It looks like a different IP address. Now, i get 208.85.209.4. In the last years, I changed the IP one more time. From 65.61.115.202 to 65.61.115.251. I dont know, why they do something like that. Its no nice way. And there was no informations about that.

0
Comments on this Answer
Comment made 14-Aug-2013 by uni 1155
OK, we've established that it changes - hopefully it is because they use GTM :) It would be handy to know what possible addresses it could be. I suppose the same applies to callhome.f5.com.
0
Comment made 14-Aug-2013 by Torti 806
no, the change hansn't anything to do with the module. f5 did change the IP behind activate.f5.com. callhome.f5.com wasn't changed, its still 65.61.115.198
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have no experience with ASM updates - do you have the capability to configure the endpoint for the updates, or is that hard-coded to activate.f5.com?

0
Comments on this Answer
Comment made 14-Aug-2013 by smp 374
Actually, this is probably irrelevant. I was going to propose a half-baked idea of creating a VIP with an iRule which resolves activate.f5.com and uses it for a Pool Member. However, I am confusing products - ASM is not an LTM...sorry.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

One could use whois on a couple of the different IP addresses you've found above to get the full ranges.

Aaron

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

there exists a solution paper for the IP addresses: SOL15202

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

IP addresses for F5 services are documented in article K15202

Look here if you want to know what addresses and ports to allow through your firewall to access activate.f5.com, callhome.f5.com, ihealth etc.

As at today, you really need to allow access to 104.219.104.0/21:443 for any of these.

0