Scribd Logo
Upload

Welcome to Scribd!

  • C1 SE1 Secure MGMT Ja

    Uploaded by

    Paul Sjoberg
    9 views6 pages

    Original Title

    441adce3-84f4-443f-9a14-31ab97097631_C1_SE1_secure_mgmt_ja

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views6 pages

    C1 SE1 Secure MGMT Ja

    Uploaded by

    Paul Sjoberg

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    DIGITAL EDUCATION SERIES

    JOB AID

    Securing Management
    Access to the BIG-IP System
    DIGITAL EDUCATION SERIES
    JOB AID

    TABLE OF CONTENTS

    Securing the Serial Console 3


    Configuring a Serial Console Timeout Value (console-inactivity-timeout) 3

    Disabling the LCD Interface 4


    Disabling the LCD Interface from the Configuration Utility 5
    Disabling the LCD Interface from TMSH 6

    DIGITAL 2
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    SECURING MANAGEMENT ACCESS TO THE BIG-IP


    SYSTEM

    Securing the Serial Console


    The console-inactivity-timeout setting controls whether or how long a connection to the BIG-IP system's serial
    console port will be allowed to remain idle before the connection is terminated. The default is 0 seconds indicating
    timeout enforcement is disabled. You can change the setting to any value in the range of 0 to 2,147,483,647
    seconds.
    The serial console idle timeout does not begin counting down until a user exits the TMSH session, or when the
    TMSH session has timed out. If the user is still logged in to the TMSH session, console-inactivity-timeout is not
    enforced. To impose an automatic logout from the BIG-IP system for a user connected to the serial console, you
    must set idle-timeout for the TMSH session as well as console-inactivity-timeout.
    Changes to console-inactivity-timeout do not apply to the current serial console session. The user must log out and
    back into the serial console for the new setting to take effect.

    Configuring a Serial Console Timeout Value (console-inactivity-timeout)

    Requirements: You must be an Administrator or Resource Administrator to perform these steps


    1. By default, console-inactivity-timeout is 0 (zero) seconds, indicating timeout enforcement is disabled.

    (tmos)# list /sys global-settings console-inactivity-timeout


    sys global-settings {
    console-inactivity-timeout 0
    }

    2. Change the serial console idle timeout value to 3 minutes (180 seconds), and list its value again.

    (tmos)# modify /sys global-settings console-inactivity-timeout 180


    (tmos)# list /sys global-settings console-inactivity-timeout
    sys global-settings {
    console-inactivity-timeout 180
    }

    3. Save the configuration change.

    (tmos)# save /sys config

    DIGITAL 3
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Disabling the LCD Interface


    The console-inactivity-timeout setting controls whether or how long a connection to the BIG-IP system's serial
    console port will be allowed to remain idle before the connection is terminated. The default is 0 seconds indicating
    timeout enforcement is disabled. You can change the setting to any value in the range of 0 to 2,147,483,647
    seconds.
    Many BIG-IP and VIPRION hardware systems include an LCD interface, either on the device's front panel or via an
    external USB-connected unit. No credentials are required to use the interface. Instead, anyone who is familiar with
    and has physical access to it can use it to scroll through and execute potentially unauthorized or disruptive BIG-IP
    administrative functions, such as configuring the management interface, rebooting, or even halting the system. As
    such it is beneficial to disable the System portion of the interface.
    The LCD interface can be disabled using either the Configuration utility or TMSH.
    Before disabling the system portion of the LCD interface, the System feature appears in the list of configurable
    options, as shown in the graphic below:

    After disabling the system portion of the LCD interface, the System feature no longer appears in the list of
    configurable options, as shown in the graphic below:

    DIGITAL 4
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Disabling the LCD Interface from the Configuration Utility

    Requirements: You must be an Administrator or Resource Administrator to perform these steps.


    1. On the BIG-IP system, navigate to System > Configuration : Device : General, uncheck the Display LCD
    System Menu option, then click the Update button to save your changes.

    DIGITAL 5
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Disabling the LCD Interface from TMSH

    Requirements: You must be an Administrator to perform any of the tmsh modify commands.
    1. List the current LCD system display settings. The LCD display's system settings option is enabled by default.

    (tmos)# list /sys global-settings lcd-display


    sys global-settings {
    lcd-display enabled
    }

    2. Disable the LCD system display, and relist its setting

    (tmos)# modify /sys global-settings lcd-display disabled


    (tmos)# list /sys global-settings lcd-display
    sys global-settings {
    lcd-display disabled
    }

    3. Save the configuration change.

    (tmos)# save /sys config

    DIGITAL 6
    EDUCATION
    SERIES

    You might also like