How to make sure the F5 management access is restricted
The F5 is an application delivery controller that can be used for variety of different sensitive applications. While using the different capabilities of the device, we would like to restrict and monitor the people who access the device and make sure that only allowed clients can access the management interface, otherwise, our system can be compromised.
The script will pull the allowed clients list from the F5 device and will display it on the Indeni live configuration dashboard, it will also alert us if the device is accessible from any IP.
Vendor Refrence: https://support.f5.com/csp/article/K13309
Steps to identify allowed IP addresses manually:
Log into the F5 using SSH, enter TMSH and run the command “list /sys httpd allow". Each entry in the list represents an allowed IP address. If “All” exists – the management interface of the F5 device is accessible from any IP.
How it can be completed automatically with Indeni:
#! META
name: rest-mgmt-tm-sys-httpd-allowed
description: Get the management allowed ip list
type: monitoring
monitoring_interval: 1 minutes
requires:
vendor: "f5"
product: "load-balancer"
rest-api: "true"
shell: "bash"
#! COMMENTS
allowed-ips:
why: |
Allowing access to the F5 management interface from any IP address can cause a security issue. The access should be restricted.
how: |
This script logs into the F5 unit via iControl REST and retrieves the list of the management allowed IP addresses.
without-indeni: |
An administrator can login to the unit through SSH, type TMSH and execute the command "list /sys httpd allow" to view the configured allowed IP"s.
can-with-snmp: false
can-with-syslog: false
vendor-provided-management: |
This information is available via TMSH.
#! REMOTE::HTTP
url: /mgmt/tm/sys/httpd
protocol: HTTPS
#! PARSER::JSON
_metrics:
-
_tags:
"im.name":
_constant: "allowed-ips"
"live-config":
_constant: "true"
"display-name":
_constant: "Allowed Management IP Addresses"
"device":
_constant: "F5"
_value.complex:
"IP":
_value: $.allow
_value: complex-array
View code here.
Here is what it would look like on Indeni Console:
Use this script by downloading Indeni today. Thanks!