K46122561: Restrict access to the BIG-IP management interface using

network firewall rules

https://my.f5.com/manage/s/article/K46122561
Published Date: Mar 26, 2019 UTC Updated Date: Nov 07, 2023 UTC

Applies to

BIG-IP AAM : [15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP AFM : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP APM : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP ASM : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP Analytics : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP DNS : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP FPS : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP LTM : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP Link Controller : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1,
16.0.0, 16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1,
15.0.0, 15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]

BIG-IP PEM : [17.1.1, 17.1.0, 17.1.X, 17.0.0, 17.0.X, 17.X.X, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.1.X, 16.0.1, 16.0.0,
16.0.X, 16.X.X, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.1.X, 15.0.1, 15.0.0,
15.0.X, 15.X.X, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.1.X]
Topic

You should consider using these procedures under the following condition:

You want to restrict access to the management interface by protocol, port, or IP address.

For information about this feature on the BIG-IQ system, refer to K92748202: Restrict access to the BIG-IQ
management interface using network firewall rules.

Description

Beginning in BIG-IP 14.1.0 you can configure network firewall rules to limit access to the management interface on the
BIG-IP system. The management interface network firewall rules use the same syntax as network firewall rules in BIG-IP
AFM but do not require the BIG-IP AFM module to be licensed and provisioned.

Note: This feature is available on BIG-IP 11.x, 12.x, and 13.x with the AFM module provisioned.

By default, the BIG-IP system allows access to the protocols and ports on the management interface listed in the
following table.

Service Port Protocol Description

SSH 22 TCP Secure Shell protocol

HTTPS 443 TCP Hypertext Transfer Protocol Secure protocol

SNMP 161 TCP Simple Network Management Protocol

SNMP 161 UDP Simple Network Management Protocol

F5 HA 1026 UDP Network failover communication for high availability

F5 iQuery 4353 TCP iQuery protocol

Network firewall rules provide additional flexibility when configuring security for the management interface. You can
configure the action to accept, drop, or reject incoming connections based on the protocol, source ports and IP
addresses, and destination ports and IP addresses. For example, you can configure a positive security posture by
creating rules that allow access to specific ports on the management interface from specific hosts on your network. The
last rule you create in the rule list is an inclusive rule that drops all traffic destined to the management interface. As a
result, the BIG-IP system drops any traffic that does not match an allow rule.

Note: Since you can only configure management interface firewall rules for incoming connections, outgoing response
traffic for accepted connections is allowed by default.

Note: The system does not create the aforementioned deny-all rule automatically, you must explicitly create the deny-all
rule as the Last in the rule list for it to block access from non-allowed sources. When configuring a deny-all rule, ensure
you have a rule that allows access from your client system and appears before the deny-all rule in the rule list.
Otherwise, you may lose access to the management interface on the BIG-IP system.

Note: Firewall rules are synchronized between HA BIG-IP devices during a ConfigSync operation.

Prerequisites

You must meet the following prerequisite to use these procedures:

You have administrative access to the BIG-IP system.

Procedures

Add management interface network firewall rules using the Configuration utility
Add management interface network firewall rules using tmsh
Delete management interface network firewall rules using tmsh

For a brief demo of these procedures, watch the following video:

https://www.youtube.com/embed/asPpNp5X7vQ

Add management interface network firewall rules using the Configuration utility

Impact of procedure: The BIG-IP system denies access to the Configuration utility if the rule configuration is incorrect
for your environment.

1. Log in to the Configuration utility.

2. Go to System > Platform.
3. Select the Security tab.
4. To create a new rule, select Add.
5. Enter a name for the rule.
6. To automatically generate a Universally Unique Identification Number (UUID) for the rule, select the Auto
Generate UUID check box. When you select this option, the BIG-IP system generates a unique 32-character
identifier for the rule.
7. For Order, select the order position for the new rule to appear in the rule list. The system processes rules from
top to bottom in the rule list.
8. For State, select the state you want the rule to take after saving.
9. For Protocol, select Any to match any protocol.
10. For Source, for Address/Region, select Specify, then select the appropriate option:
1. If you select Address, enter the source IP address, and select Add. Repeat as necessary to add more
source IP addresses.
2. If you select Address List, select the address list you want to use, and select Add.
3. If you select Address Range, enter the beginning and ending source IP addresses for the range, and
select Add. Repeat as needed to add more IP address ranges.
11. For Source, for Port, select Specify, then select the appropriate option:

Note: This Port option is available for selection when you select TCP or UDP at step 9 for Protocol.

1. If you select Port, enter the source port number, and select Add. Repeat as necessary to add more port
numbers.
2. If you select Port List, select the port list, and select Add.
3. If you select Port Range, enter the beginning and ending source port numbers for the range, and select
Add. Repeat to add more port number ranges as needed.
12. For Destination, for Address/Region, select Specify, then select the appropriate option:
1. If you select Address, enter the destination IP address, and select Add. Repeat as necessary to add
more destination IP addresses.
2. If you select Address List, select the address list, and select Add.
3. If you select Address Range, enter the beginning and ending destination IP addresses for the range, and
select Add. Repeat as needed to add more IP address ranges.
13. For Destination, for Port, select Specify, then select the appropriate option:

Note: This Port option is available for selection when you select TCP or UDP at step 9 for Protocol.

1. If you select Port, enter the destination port number, and select Add. Repeat as necessary to add more
port numbers.
2. If you select Port List, select the port list, and select Add.
3.
 3. If you select Port Range, enter the beginning and ending destination port numbers for the range, and
select Add. Repeat to add more port number ranges as needed.
14. For Action, select the action to perform when the rule matches. If you select Disable, the system does not apply
the rule after creation.
15. For Logging, select Enabled to enable logging for the rule. Log messages are logged to the /var/log/ltm file.

Note: For the BIG-IP system to log locally, the local-syslog setting must be enabled in the
default-mgmt-acl-log-publisher log publisher.

Example:

You can use the following settings to add a new deny-all rule named rejectAll to reject traffic:

Setting Value

Name rejectAll

UUID Auto Generate UUID

Order Last

State Enabled

Protocol Any

Source Any

Destination Any

Action Reject

Add management interface network firewall rules using tmsh

To configure network firewall rules for the management port using the TMOS Shell ( tmsh), perform the following
procedure:

Impact of procedure: The BIG-IP system denies access to the Configuration utility if the rule configuration is incorrect
for your environment.

1. Log in to tmsh by entering the following command:

tmsh

2. Add a new network firewall rule using the following command syntax:

modify /security firewall management-ip-rules rules add { <rule-name> {

action [accept|drop|reject]
app-service <service>
description <description>
destination { [addresses|address-list|port-list|ports] add { <destination> } }
icmp [add|delete|modify|replace-all-with|none] { [type|type:code] }
ip-protocol <protocol>
log [no|yes]
place-after [first|last|<rule name>]
place-before [first|last|<rule name>]
rule-list <rule-list>
 schedule <schedule>
source { [addresses|address-list|port-list|ports] add { <source> } }
status [disabled|enabled|scheduled]
uuid [uuid value string|auto-generate|none]
} }

For example, to allow access to the Configuration utility on management IP 192.168.100.100 from host IP range
10.10.10.1 - 10.10.10.10, you can use the settings in the following table.

Setting Value

Name example_mgmt_rule

UUID Auto Generate UUID

Order First

State Enabled

Protocol TCP

Source IP: 10.10.10.1 - 10.10.10.10

Port Any

Destination IP: 192.168.100.100

Port 443

Action Accept

Logging Enabled

To add a rule using these example settings, enter the following command without line breaks:

modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept

destination { addresses add { 192.168.100.100 } ports add { 443 } } ip-protocol tcp log yes
place-before first source { addresses add { 10.10.10.1-10.10.10.10 } ports none } status enabled
uuid auto-generate } }

3. Save the changes by entering the following command:

save /sys config

Additional Examples:

You can use the following command to add a new deny-all rule named rejectAll to reject traffic:

modify /security firewall management-ip-rules rules add { rejectAll { action reject ip-protocol any log
no place-after last schedule none status enabled uuid auto-generate icmp none destination {
address-lists none addresses none port-lists none ports none } source { address-lists none addresses
none port-lists none ports none } } }

Delete management interface network firewall rules using tmsh

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to tmsh by entering the following command:

tmsh

2. Delete the rule using the following command syntax:

modify /security firewall management-ip-rules rules delete [<rule name>|all]

For example, to delete the rule named example_mgmt_rule, enter the following command:

modify /security firewall management-ip-rules rules delete { example_mgmt_rule }

3. Save the change by entering the following command:

save /sys config

Related Content
K13092: Overview of securing access to the BIG-IP system
K94615110: Configuring firewall rules on the BIG-IP management port without additional license
K17333: Overview of port lockdown behavior (12.x - 17.x)