Self IP not locked down-f5-all
Vendor: f5
OS: all
Description:
Best practices dictate that the self IP should be locked down to admin services. indeni will alert if this is not the case.
Remediation Steps:
Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is always recommended to have the Self IP configuration set to “Allow None”. Make sure to schedule a service window before configuring this option.
How does this work?
This alert logs into the device through SSH and uses TMSH to retrieve the port lockdown configiguration for all self IP’s.
Why is this important?
Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is recommended for security reasons to have the Self IP configuration to be set to “Allow None”. In previous versions the default option when creating a self IP was to allow “Default” and that configuration would follow during upgrades. This metric keeps track of self IP’s listening on any services. Please note that ICMP is implicitly allowed no matter what the port lockdown settings are, and does not need to be specified.
Without Indeni how would you find this?
An administrator could check this metric manually by logging into the device through TMSH and executing the command “list net self”.
f5-rest-net-self
name: f5-rest-net-self
description: Determine self ip and network mask
type: monitoring
monitoring_interval: 5 minutes
requires:
vendor: f5
product: load-balancer
rest-api: 'true'
comments:
network-interface-ipv4-address:
why: |
To be able to search for IP addresses in indeni, this data needs to be stored.
how: |
This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 addresses of all self IP's.
can-with-snmp: true
can-with-syslog: false
network-interface-ipv4-subnet:
why: |
To be able to search for IP addresses in indeni, this data needs to be stored.
how: |
This alert logs into the F5 unit through the iControl REST API and retrieves the IPv4 subnets of all self IP's.
can-with-snmp: true
can-with-syslog: false
f5-port-lockdown-not-none:
why: |
Unless this is intentionally configured, such as a dedicated cable or VLAN for HA, it is recommended for security reasons to have the Self IP configuration to be set to "Allow None". In previous versions the default option when creating a self IP was to allow "Default" and that configuration would follow during upgrades. This metric keeps track of self IP's listening on any services. Please note that ICMP is implicitly allowed no matter what the port lockdown settings are, and does not need to be specified.
how: |
This alert logs into the device through SSH and uses TMSH to retrieve the port lockdown configiguration for all self IP's.
can-with-snmp: false
can-with-syslog: false
f5-default-port-lockdown:
why: |
In earlier versions of TMOS the default port lockdown setting was "default". Leaving this setting in place could allow an attacker access to the management services of the device
how: |
This alert logs into the device through SSH and uses TMSH to retrieve the port lockdown configiguration for all self IP's.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: HTTP
command: /mgmt/tm/net/self?$select=fullPath,address,allowService
parse:
type: JSON
file: rest-mgmt-tm-net-self.parser.1.json.yaml
f5_port_not_locked_down
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_port_not_locked_down.scala