Nimbostratus
I have my F5s that are publicly accessible from the https and i'd like to enable/disable the Management GUI from the command line for more security.
So whenever I need to have access to GUI, I'll enable it from ssh.
I read about the Lockdown option (where I can manually Deny HTTPS for a self-ip), but how to do it in ssh ? Can I just simply stop httpd ?
Thanks !
Altostratus
"bigpipe self 1.1.1.1 allow none" would block everything. otherwise, you need "protocol/port"
Nimbostratus
I'm afraid I'm gonna break something if I allow none.
So I'll have configure manually on both self-ip services listed here https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7317.html and then, just remove/add the allow the 443 when needed, correct ?
AltostratusNimbostratus
The config sync is on a different network, but one of our network failover unicast are using the public IP.
We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)
I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.
AltostratusWe have 2 BigIP on 2 different locations for redundancy, each one has a public ip address, and the floating one.
The config sync is on a different network, but one of our network failover unicast are using the public IP.
We use the floating address as a default gateway for our web servers in a pool that use a VIP (the VIP, the external and internal VLAN are on the same subnetwork)
I'm afraid if I allow none on those IP, my web servers won't be able to use the gateway any more for 80 and 443.
http://support.f5.com/kb/en-us/prod...821011358
The self-IP is being used as the gateway but is not the destination for your traffic. As an example, are you currently doing allow all or allow default? If you're allowing default, port 80 isn't allowed.
NimbostratusAltostratusAltostratus
So, I wonder if the best way isn't to manually edit the config file.
In bigip_base.conf, your self IP likely looks like this:
net self 1.1.1.1/24 {
allow-service default
vlan internal
}
The best thing to do might be to change it to this and then load the config file:
net self 1.1.1.1/24 {
allow-service {
ospf:any
tcp:161
tcp:22
tcp:4353
tcp:53
udp:1026
udp:161
udp:4353
udp:520
udp:53
}
vlan internal
}
Cirrostratus
b self 192.168.44.11 {allow none}
b self 192.168.44.11 {allow default}
b self 192.168.44.11 {allow all}
This changes the config running in memory. You'd want to save the config to file using 'b base save'.
I haven't tested to see how to specify individual services, but I think it should be possible.
Aaron
AltostratusI think that's tmsh output which is slightly different than how the bigip_base.conf syntax looks. You should be able to set the config through bigpipe using syntax like this:
b self 192.168.44.11 {allow none}
b self 192.168.44.11 {allow default}
b self 192.168.44.11 {allow all}
This changes the config running in memory. You'd want to save the config to file using 'b base save'.
I haven't tested to see how to specify individual services, but I think it should be possible.
Aaron
I copied and pasted my actual bigip_base.conf syntax.
If he's currently using allow default, he can't add or remove anything without changing that first. Not sure why, but I got an error when trying.