Big-IP Local Traffic Self-ips for internet facing addresses

I use the self addresses for management rather then the management interfaces for several reasons. However, I faced the same issue way in the past about how to protect the self-addresses from the internet. We basically used the firewall to protect it. Others have put in a ACL on the LTm on who can directly access the management interfaces.

 

 

I am not sure if there is a best practice but I think default ALLOW is something that shouldn't be used if you want security.

 

 

 

CB

I use the self-IPs for a backup for config-sync/fail-over stuff. I did, however; modify the default list to block http, https, and ssh.

Since I have extra unused ports on the LTM I also dedicated ports and plug them in directly, using a private addressing scheme for the config-sync.

 

 

CB

I use "Port Lockdown" on the outside interfaces to solve the problem.

 

For syncing - separate ports/VLAN.

 

Management port for management.