[BIG-IP] What is the Port Lockdown setting for Self IPs?

Load Balancer

Target environment

  • BIG-IP Virtual Edition
    • version 15.x.x

Port Lockdown setting for Self IPs

Port Lockdown is one of the settings for Self IPs.

Port Lockdown is a setting item that specifies the protocols and services that the target Self IP allows reception.

The Port Lockdown value choices are:

  • Allow Default
  • Allow All
  • Allow None
  • Allow Custom
  • Allow Custom (Include Default)

Port lockdown exceptions

The following communications are allowed regardless of the Port Lockdown setting.

  • TCP mirroring ports
  • TCP port 4353
  • ICMP
  • Traffic destined for services configured on the virtual server

Allow Default

The following protocols and services are allowed.

  • IGMP
  • OSPF
  • PIM
  • TCP/4353 – iQuery
  • UDP/4353 – iQuery
  • TCP/443 – HTTPS
  • TCP/161 – SNMP
  • UDP/161 – SNMP
  • TCP/22 – SSH
  • TCP/53 – DNS
  • UDP/53 – DNS
  • UDP/520 – RIP
  • UDP/1026 – network failover

You can check the protocols and services allowed by default with the tmsh list net self-allow command in the CLI.

config # tmsh list net self-allow
net self-allow {
    defaults {
        igmp:any
        ospf:any
        pim:any
        tcp:domain
        tcp:f5-iquery
        tcp:https
        tcp:snmp
        tcp:ssh
        udp:520
        udp:cap
        udp:domain
        udp:f5-iquery
        udp:snmp
    }
}

Allow All

It means allowing all connections.

Allow None

Means not allow all connections.

Allow Custom

Select this option to manually set the protocols and services you want to allow.

Allow Custom (Include Default)

Select this option to allow manually configured protocols and services in addition to the protocols and services allowed by the Allow Default option.

References

https://support.f5.com/csp/article/K17333


Comments

Copied title and URL