Applies To:

Show Versions Show Versions

Manual Chapter: Securing BIG-IP Administrative Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


There are several tasks that you can perform to control BIG-IP administrative access to the BIG-IP Configuration utility or to tmsh. This access control includes not only settings such as the number of failed login attempts allowed per user and the maximum amount of allowed idle login time, but also settings to specify user roles, administrative partition access, and console access.

Configuring security settings for administrative login

Use this procedure to define: the maximum number of concurrent users allowed, the maximum duration that the Configuration utility can be idle before automatic user logout, and a security message that you want the system to display on the BIG-IP Configuration login screen.
  1. On the Main tab, click System > Preferences.
  2. From the System Settings list, select Advanced. Additional settings appear on the screen.
  3. In the field labeled Maximum HTTP Connections To Configuration Utility, retain or revise the default value.
  4. In the field labeled Idle Time Before Automatic Logout, revise the default value. F5 Networks recommends a value of 120 seconds.
  5. For the setting labeled Show The Security Banner On The Login Screen, verify that the box is checked. This ensures that security message you specify displays on the login screen of the BIG-IP Configuration utility.
  6. In the field labeled Security Banner Text To Show On The Login Screen, revise the default security message. A good security message is one that provides legal protection to the organization, such as a message stating that unauthorized access is forbidden. The login screen of the BIG-IP Configuration utility displays the text that you specify in this field.
  7. Click Update.
After you have performed these steps, administrative access to the BIG-IP Configuration utility is more secure.

Configuring a password policy for administrative users

Use this procedure to require BIG-IP system users to create strong passwords and to specify the maximum number of BIG-IP Configuration utility login failures that the system allows before the user is denied access.
  1. On the Main tab, click System > Users.
  2. On the menu bar, click Authentication.
  3. From the Secure Password Enforcement list, select Enabled. Additional settings appear on the screen.
  4. For the Minimum Length and Required Characters settings, configure the default values, according to your organization's internal security requirements.
  5. In the Maximum Login Failures field, specify a number. If the user fails to log in the specified number of times, the user is locked out of the system. Therefore, F5 Networks recommends that you specify a value that allows for a reasonable number of login failures before user lockout.
  6. Click Update.

Creating a BIG-IP system user account

Use this procedure to create a user account for a BIG-IP system administrative user. When creating the account, you can specify a user role, the partitions to which the user has access, and the type of console access.
  1. On the Main tab, click System > Users.
  2. Click Create. The New User properties screen opens.
  3. To grant an access level other than No Access, use the Role list to select a user role.
  4. From the Partition Access list, select a partition name. You can select a single partition name, or All.
  5. From the Terminal Access list, select a level of console access.
  6. Click Finished.
The BIG-IP system includes a new user account for administrative access.

Configuring a security level for a self IP address

You can specify the protocols and services from which a self IP address can accept traffic. Note that having fewer active protocols enhances the security level of the self IP address and its associated VLANs.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. In the Name column, click a self IP address associated with a VLAN on the public network. This displays the properties of that self IP address.
  3. From the Port Lockdown list, select a level of security for the self IP address. Selecting Allow None blocks administrative traffic only, for this self IP address. Specifically, a user is blocked from accessing the BIG-IP system through the BIG-IP Configuration utility or SSH.
  4. Click Update.
The BIG-IP system now controls the level of access that administrative users have to the BIG-IP Configuration utility and through SSH.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)