Forum Discussion

ecce's avatar
ecce
Icon for Cirrostratus rankCirrostratus
Jun 20, 2017

Disable Echo reply on virtual address

Hi,

 

I just started to do my first labs on BIG-IP VE, using 12.1.1. I have configured a standard virtual server for 0.0.0.0/0 on VLAN "INSIDE" directing traffic to a firewall (The firewall interface is a pool with one node in it). I noticed clients can ping any IP address and get a response, and I want to disable this behaviour. I found this: https://support.f5.com/csp/article/K16885proc3

 

However, the ICMP ECHO setting (and ARP) is disabled/unchecked already. It does not seem to matter what I do with the setting, I get a response from any IP I ping from the client.

 

How do I disable the ping response behaviour?

 

application delivery
LTM

4 Replies

Sort By
  • Mandragor's avatar
    Mandragor
    Icon for Altostratus rankAltostratus
    Jun 26, 2017

    Is the VIP 0.0.0.0/0 the only VIP that would match the IP-address you are pinging? Disabling ICMP Echo in the Virtual Address menu should suffice in disabling ping replies.

     

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Jun 26, 2017

    Have you followed below procedure?

    * From the Configuration utility, click Local Traffic.
* Navigate to Virtual Servers > Virtual Address List
* Click the Virtual Address to be modified.
* For the ICMP Echo setting, select Disable.
Click Update
  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Jun 26, 2017

    The virtual address arp/icmp settings affect only traffic destined for the virtual address itself. It does not stop icmp traffic from flowing through the virtual server to a remote destination. You could setup packet filtering on bigip, Network>Packet Filters, to block icmp but note this will block all icmp attempts not just those for your 0.0.0.0/0 VS.

     

    I am guessing your 0.0.0.0/0 VS Protocol setting is set to "*All Protocols". This is what is allowing the VS to process icmp. If you desire TCP/UDP only you could create two 0.0.0.0/0 VS, one for Protocol:TCP and the other for Protocol:UDP.

     

  • ecce's avatar
    ecce
    Icon for Cirrostratus rankCirrostratus
    Sep 15, 2017

    I solved this a while back, might as well write it here if someone else makes the mistake I did.

     

    I did not uncheck the Address Translation checkbox in the VS. So every single IPv4 address was translated to the firewall IP. And the firewall responded to ping.

     

    Yeah, I feel a bit stupid.