Forum Discussion

InquisitiveMai's avatar
InquisitiveMai
Icon for Cirrostratus rankCirrostratus
May 29, 2024

Deny access to F5 management from specific addresses

Trying to figure out if there is a way to deny a specific address when a subnet is allowed under

System--> Platform--> SSH IP allow 172.16/16, but I want to deny  specific addresses ex:172.16.20.21 172.16.20.30

 

Is that possible?

    1. So from my understanding the Security rules are hit first before anything else, so if you allow SSH through the security rule but then deny it under SSH then it will ultimately be denied. If you created a deny in the security rule and then an allow in SSH this would still be blocked because security rules are hit first. It is best practice to restrict in both areas if you use the security rules in addition to things such as SNMP and SSH. If it can be helped I would only have a restriction in the protocol specific location unless some compliance rule forces you to use both.
    2. If you are looking at restricting management access you would put the management IP of the BIG-IP. Keep in mind that these security rules sync between HA appliances so your rule on unit 0 would need its management IP and the management IP of the unit 1 as the destination. You always want to be as specific as your can, so if you have source IP, destination IP, port, and protocol then put it all in.
    3. Yes, if you put the allow for IPs that are part of a subnet and you set your default action as drop then you shouldn't have to put in a deny. I put in a deny because I like to have a hit count for specific traffic that I want to block and then I can go later and figure out why those blocked IPs are even trying to reach the BIG-IP in the first place. I would enable logging on your denies but probably not your allows. Some compliance rules require you to log everything but unless forced I would only log the denies.

6 Replies

  • What code version are you running? I'm currently running 14.1.4.5 and if you go to the path you're referring to it doesn't exist, my path is "System" -> "Platform" -> "Security" and under here you can specify source and destination IP. From my understanding this is process much like most firewall rules, from top to bottom so you can allow single IPs and then block the rest of the subnet.

  • Thank you for your response Paulius , the SSH IP allow option is under "User Administration"(System-->Platform-->Configuration).  I see the Security option(System-->Platform-->Security)

    I have few questions

    1. If I have certain IP addresses in(System-->Platform-->Configuration) User Administration "SSH Allow" ex:172.16.0.0/16 10.1.20.30 and I create a Security policy (System-->Platform-->Security)) which one will take preference. Do I need to make SSH allow to "All addresses" and then make the changes?
    2. What should we put for Destination in the rule?                                                                                                               ex: SSHRule1,Order:First,State:enabled, Protocol:Other:22  Source Address Specify: 172.16.20.21 and  172.16.20.30, Destination: Should I specify a IP or leave it to any as the policy applies only to management         
    3. After we add a rule with reject with certain source addresses, we need to create a rule to Allow with the ip addresses that need access ex: Rule2 172.16.0.0/16 10.1.20.30, Should the destination be Any

    Should logging be enabled?

    1. So from my understanding the Security rules are hit first before anything else, so if you allow SSH through the security rule but then deny it under SSH then it will ultimately be denied. If you created a deny in the security rule and then an allow in SSH this would still be blocked because security rules are hit first. It is best practice to restrict in both areas if you use the security rules in addition to things such as SNMP and SSH. If it can be helped I would only have a restriction in the protocol specific location unless some compliance rule forces you to use both.
    2. If you are looking at restricting management access you would put the management IP of the BIG-IP. Keep in mind that these security rules sync between HA appliances so your rule on unit 0 would need its management IP and the management IP of the unit 1 as the destination. You always want to be as specific as your can, so if you have source IP, destination IP, port, and protocol then put it all in.
    3. Yes, if you put the allow for IPs that are part of a subnet and you set your default action as drop then you shouldn't have to put in a deny. I put in a deny because I like to have a hit count for specific traffic that I want to block and then I can go later and figure out why those blocked IPs are even trying to reach the BIG-IP in the first place. I would enable logging on your denies but probably not your allows. Some compliance rules require you to log everything but unless forced I would only log the denies.
    • InquisitiveMai's avatar
      InquisitiveMai
      Icon for Cirrostratus rankCirrostratus

      The Deny is working with "any" protocol, only https does not work but ssh works.  I am not able to specify ssh port 22. As soon as I put port 22 it goes to xns-idp and selecting "other: 443" gives a range 0 to 255. "Rejecting" TCP i.e port 6 seems to block both https and ssh

  • Hi InquisitiveMai ,

     

    Its possible by applying management access list .  System ->Platform-> then on the second tab there is  management access list .There you can specify the Ips which you want to block and what ports  you want to block for those IPs . Its more of creating management ip rules .

    Hoping this helps your query .

     

    Thanks