5.3 Ensure port lockdown for self IP is set

Information

to secure the BIG-IP system from unwanted connection attempts on self-IP.

Rationale:

Impact:

Default settings allow BIG-IP to listen on several ports on which some are not needed . Attackers may initiate attacks against the system self IPs on these ports . To reduce the risk , only needed ports should be enabled on self IPs.

Solution

1-Log in to the Configuration utility.

2-Go to Network > Self IPs.

3-Select the relevant self IP address.

4-If the specified interface does not need to listen to incoming connections ( Example BGP ,BDF ..etc) , set 'Port Lockdown' to 'Allow None'
5-If the specified interface need to listen for incoming connections , set 'Port Lockdown' to 'Allow Custom'. Then in the 'Custom List' add needed ports only.

See Also

https://workbench.cisecurity.org/files/3587

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|SC-23, CSCv7|12.4

Plugin: F5

Control ID: 4f813c0ea2ceb9aa7e13521dd8d21715693790133ab69d34afca5eed2f83b5bf