Restricting access to the Configuration utility by source IP address

Information

The Configuration utility provides the graphical user interface to manage the BIG-IP system. Depending on your organizational security requirements, one method to secure access to the Configuration utility is to allow only trusted IP addresses or range of IP addresses.

By default, the current list allows all IP addresses to connect to the Configuration utility. If you are adding an IP address or range of IP addresses to the current list the first time, you should perform the Replacing the current allowed list with a new list procedure.

Solution

To add an IP address or range of IP addresses to the current list of hosts that are allowed to access the Configuration utility, perform the following procedure:
1. Log in to the TMOS Shell (tmsh) by typing the following command:
tmsh

2. To add an IP address or range of IP addresses to the current allowed list of hosts, type the following command:
modify /sys httpd allow add { <IP address or IP address range> }

For example, to add 172.28.31.140 and 172.28.65.150 to the current list, you would type the following command:

modify /sys httpd allow add { 172.28.31.140 172.28.65.150 }

3.To add the subnet 172.28.31.0/255.255.255.0 to the current list, you would type the following command:

modify /sys httpd allow add { 172.28.31.0/255.255.255.0 }

4. To list the IP addresses of the current allowed hosts, type the following command:
list /sys httpd allow

5. Save the change by typing the following command:
save /sys config

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|I, CCI|CCI-002385, Rule-ID|SV-74647r1_rule, STIG-ID|F5BI-DM-000239, Vuln-ID|V-60217

Plugin: F5

Control ID: 5c2aa3994cb2e989065bc28dda9d924ff8484087a72713a6508ff374139c6933