How to make sure the F5 management access is restricted


#1

How to make sure the F5 management access is restricted


The F5 is an application delivery controller that can be used for variety of different sensitive applications. While using the different capabilities of the device, we would like to restrict and monitor the people who access the device and make sure that only allowed clients can access the management interface, otherwise, our system can be compromised.

The script will pull the allowed clients list from the F5 device and will display it on the Indeni live configuration dashboard, it will also alert us if the device is accessible from any IP.

Vendor Refrence: https://support.f5.com/csp/article/K13309


Steps to identify allowed IP addresses manually:

Log into the F5 using SSH, enter TMSH and run the command “list /sys httpd allow". Each entry in the list represents an allowed IP address. If “All” exists – the management interface of the F5 device is accessible from any IP.

Image title


How it can be completed automatically with Indeni:

#! META

name: rest-mgmt-tm-sys-httpd-allowed

description: Get the management allowed ip list

type: monitoring

monitoring_interval: 1 minutes

requires:

vendor: "f5"

product: "load-balancer"

rest-api: "true"

shell: "bash"



#! COMMENTS

allowed-ips:

why: |

Allowing access to the F5 management interface from any IP address can cause a security issue. The access should be restricted.

how: |

This script logs into the F5 unit via iControl REST and retrieves the list of the management allowed IP addresses.

without-indeni: |

An administrator can login to the unit through SSH, type TMSH and execute the command "list /sys httpd allow" to view the configured allowed IP"s.

can-with-snmp: false

can-with-syslog: false

vendor-provided-management: |

This information is available via TMSH.



#! REMOTE::HTTP

url: /mgmt/tm/sys/httpd

protocol: HTTPS



#! PARSER::JSON



_metrics:

-

_tags:

"im.name":

_constant: "allowed-ips"

"live-config":

_constant: "true"

"display-name":

_constant: "Allowed Management IP Addresses"

"device":

_constant: "F5"

_value.complex:

"IP":

_value: $.allow

_value: complex-array


View code here.

Here is what it would look like on Indeni Console:

Image title



Use this script by downloading Indeni today. Thanks!


#2

Congrats Daniel on your first automation script!