I understand that you are interested in restricting queries over port 4353 to TLS v1.2. Support for TLS1.2 was added in version 13.0 of BIG-IP but this did not remove support for TLS1.0 or TLS1.1. Unfortunately there is not mechanism currently to restrict that to only permit TLS 1.2. The recommended mechanism for mitigating any vulnerability scans would be to lockdown access to the management interface as per the methods previously discussed (i.e. iptables or AFM rules).
The Iquery is for the GTM to communicate with other BIG-IP system to exchange the information.
If you are using GTM/DNS, port 4353 must be allowed, blocking it will terminate the communication between GTM and the other BIG-IP system.
There are two option to block the port 4353
1) Use AFM (firewall module) to create a security profile
2) Use iptables to block the port.
The following has examples of how to allow specific IPs/Ports, along with a line for dropping all other 4353 traffic:
iptables -A INPUT -s 10.128.30.0/24 -p tcp -m tcp --dport 4353 -j ACCEPT <--- Allow network (for HA) iptables -A INPUT -s 172.24.157.32 -p tcp -m tcp --dport 4353 -j ACCEPT <--- Allow mgmt from device 1 iptables -A INPUT -s 172.24.157.35 -p tcp -m tcp --dport 4353 -j ACCEPT <--- Allow mgmt from device 2 iptables -A INPUT -p tcp -m tcp --dport 4353 -j DROP <--- Drop all other Port 4353 traffic service
to permanently save iptables rules
In /etc/sysconfig/iptables-config check for :
Save current firewall rules on restart.
Value: yes|no, default: no
Saves all firewall rules to /etc/sysconfig/iptables if firewall gets restarted.
IPTABLES_SAVE_ON_RESTART="yes"
iptables save <--- Save changes
Nimbostratus
