Forum Discussion

iRule's avatar
iRule
Icon for Cirrus rankCirrus
Dec 05, 2020

Restricting Management Access in BIG-IP 15.1.0

Dear Community,

 

I need to restrict management access to specific source workstation IPs using System - Platform - Security feature. The devices are in HA pair.

 

If I create a rule to allow access to management interface on TCP port 443 only from three source workstation IPs, what can be impact of this rule on HA, Failover.

 

Thanks

1 Reply

  • It would appear that security firewall rules for the management port are synchronized between the two systems in an HA pair. (My first instinct was that they were not.) So I tested with a v15.1 HA pair by first by adding two rules to the active system in my pair, as follows:

    The system immediately indicated changes were pending. (So much for my instincts!) I did a Config-sync and the rules were successfully synchronized with the standby system. Unfortunately, after the config-sync finished, I wound up being booted off my session to the management interface (from the same client) on the standby system at https://192.168.13.31. I then went back to the active system, where I was still logged on, and added a third rule to allow port 443 access to the standby system's management interface at 192.168.13.31 from my client at 192.168.4.30, and config-synced again. I could then log into the standby system once again. There does not seem to be an impact on any HA communication that is going on behind the scenes, as I added a virtual server and pool on the standby system, synced it to the active system, and it synced just fine. For good measure, I then forced a manual failover from the active to standby systems, and that also worked just fine. So, aside from need to do a Config-Sync after setting up the security firewall rules, there seems to be no impact on HA. But be careful how you set up the rules so you don't inadvertently deny yourself!

    Here is the final config, as shown from the GUI:

    ...and, for good measure, from TMSH:

    root@(bigip14)(cfg-sync In Sync)(Active)(/Common)(tmos)# list security firewall management-ip-rules
    security firewall management-ip-rules {
        rules {
            MGMT_Access {
                action accept
                ip-protocol tcp
                log yes
                rule-number 1
                destination {
                    addresses {
                        192.168.14.31 { }
                    }
                    ports {
                        https { }
                    }
                }
                source {
                    addresses {
                        192.168.4.30 { }
                    }
                }
            }
            MGMT_Access_13 {
                action accept
                ip-protocol tcp
                log yes
                rule-number 2
                destination {
                    addresses {
                        192.168.13.31 { }
                    }
                    ports {
                        https { }
                    }
                }
                source {
                    addresses {
                        192.168.4.30 { }
                    }
                }
            }
            MGMT_Deny {
                action reject
                ip-protocol tcp
                log yes
                rule-number 3
            }
        }
    }
    (END)
                rule-number 2
                destination {
                    addresses {
                        192.168.13.31 { }
                    }
                    ports {
                        https { }
                    }
                }
                source {
                    addresses {
                        192.168.4.30 { }
                    }
                }
            }
            MGMT_Deny {
                action reject
                ip-protocol tcp
                log yes
                rule-number 3
            }
        }
    }