Target environment
- BIG-IP Virtual Edition
- version 15.x.x
Port Lockdown setting for Self IPs
Port Lockdown is one of the settings for Self IPs.
Port Lockdown is a setting item that specifies the protocols and services that the target Self IP allows reception.
The Port Lockdown value choices are:
- Allow Default
- Allow All
- Allow None
- Allow Custom
- Allow Custom (Include Default)
Port lockdown exceptions
The following communications are allowed regardless of the Port Lockdown setting.
- TCP mirroring ports
- TCP port 4353
- ICMP
- Traffic destined for services configured on the virtual server
Allow Default
The following protocols and services are allowed.
- IGMP
- OSPF
- PIM
- TCP/4353 – iQuery
- UDP/4353 – iQuery
- TCP/443 – HTTPS
- TCP/161 – SNMP
- UDP/161 – SNMP
- TCP/22 – SSH
- TCP/53 – DNS
- UDP/53 – DNS
- UDP/520 – RIP
- UDP/1026 – network failover
You can check the protocols and services allowed by default with the tmsh list net self-allow command in the CLI.
config # tmsh list net self-allow
net self-allow {
defaults {
igmp:any
ospf:any
pim:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}Allow All
It means allowing all connections.
Allow None
Means not allow all connections.
Allow Custom
Select this option to manually set the protocols and services you want to allow.
Allow Custom (Include Default)
Select this option to allow manually configured protocols and services in addition to the protocols and services allowed by the Allow Default option.
References
https://support.f5.com/csp/article/K17333
support.f5.com
Comments