Applies To:

Show Versions Show Versions

Manual Chapter: Managing Self IPs in Shared Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About self IPs

On BIG-IP devices, network objects such as virtual servers, self IP addresses, the management IP, route domains, and the global firewall, all have firewalls attached to them. On BIG-IQ systems, an instance of one of these network objects is called a firewall context.

Using a BIG-IQ Security system, you can discover all firewall contexts currently on a BIG-IP device, and edit the firewall rules and/or policies attached to those firewall contexts.

From the Shared Security Self IPs panel, you can also create, configure, and delete a new self IP address firewall context, and then push that configured network object to a targeted BIG-IP device. In scenarios where self IP addresses are used primarily for security purposes, this provides a centralized and remote way for security administrators to quickly create additional listeners, or, firewall contexts.

Self IP addresses have many configuration options. BIG-IQ Security provides functionality meant for very basic security-centric use cases.

To close the panel without making any changes, click Cancel.

To get help on any panel, click the (?) icon in the upper right corner.

Adding Self IP addresses

Within Shared Security, hover over the Self IPs header and click the + icon when it appears, and click New Self IP. The panel expands to display the New Self IP properties screen.

Editing Self IPs

Hover over the name of the self IP address to edit, and when the gear icon appears, select Properties to expand the panel.

Adding self IP addresses

Use the New Self IP screen to configure a new self IP address.

Adding self IP addresses

  1. Hover over the Self IPs header, click the + icon when it appears, and click New Self IP. The panel expands to display the New Self IP properties.
  2. In the New Self IP screen, modify the properties of the new self IP address as appropriate.
    Device From the list, select a discovered BIG-IP device. If there are multiple devices discovered, the default device is the one discovered first.
    Name Type the name of the self IP address definition.
    Description Type an (optional) description for the self IP address.
    Partition Type the partition or path to which the self IP address belongs. Only users with access to a partition can view the objects (such as the self IP address) that it contains. If the self IP address resides in the Common partition, all users can access it.
    Note: Although pre-populated with Common (default), you can set the partition by typing a unique name for the partition. The partition with that name must already exist on the BIG-IP device. If it does not exist, then, at deployment, the deployment will fail. No whitespace is allowed in the partition name.
    IP Address/Prefix Type the IP address of the self IP, including the prefix.
    VLAN/Tunnel Select the VLAN associated with this self IP address. The choices are defined on the BIG-IP device, and the default is internal.
    Port Lockdown Specify the protocols and services from which the self IP address can accept traffic. Note that having fewer active protocols enhances the security level of the self IP address and its associated VLANs. Options are:
    • Allow Default: Activates only the default protocols and services. You can determine the supported protocols and services by running the tmsh list net self-allow defaults command on the command line.
    • Allow All: Activates all TCP and UDP services on this self IP address.
    • Allow None: Specifies that this self IP address accepts no traffic. If you are using this self IP address as the local endpoint for WAN optimization, select this option to avoid potential port conflicts. This is the default.
    • Allow Custom: Activates the custom protocols and services you select for this self IP address using the expanded custom list options.
    • Allow Custom (include Default): Activates the default protocols and services as well as the custom protocols and services you select for this self IP address using the expanded custom list options.
    Floating Specifies whether the self IP is floating. This is determined by the value of the Traffic Group property.
    Traffic Group Specifies the traffic group to associate with the self IP. Whether the self IP address can inherit the traffic group is set on the BIG-IP device and is only readable on the BIG-IQ system.
  3. When you are finished, click Add to create the new self IP address.

Editing self IP addresses

Use the Self IPs Properties screen to edit the properties of a self IP address.

Editing self IPs

From the Self IPs panel, you can edit self IP address properties.

  1. Hover over the self IP address that you want to edit, click the gear icon, and select Properties to expand the panel.
  2. Click Edit to establish the lock and make it possible to edit the values on the property page.
  3. Edit the properties. Not all properties can be modified.
    Device From the list, select a discovered BIG-IP device. If there are multiple devices discovered, the default device is the one discovered first.
    Name Type the name of the self IP address definition.
    Description Type an (optional) description for the self IP address.
    Partition Type the partition or path to which the self IP address belongs. Only users with access to a partition can view the objects (such as the self IP address) that it contains. If the self IP address resides in the Common partition, all users can access it.
    Note: Although pre-populated with Common (default), you can set the partition by typing a unique name for the partition. The partition with that name must already exist on the BIG-IP device. If it does not exist, then, at deployment, the deployment will fail. No whitespace is allowed in the partition name.
    IP Address/Prefix Type the IP address of the self IP, including the prefix.
    VLAN/Tunnel Select the VLAN associated with this self IP address. The choices are defined on the BIG-IP device, and the default is internal.
    Port Lockdown Specify the protocols and services from which the self IP address can accept traffic. Note that having fewer active protocols enhances the security level of the self IP address and its associated VLANs. Options are:
    • Allow Default: Activates only the default protocols and services. You can determine the supported protocols and services by running the tmsh list net self-allow defaults command on the command line.
    • Allow All: Activates all TCP and UDP services on this self IP address.
    • Allow None: Specifies that this self IP address accepts no traffic. If you are using this self IP address as the local endpoint for WAN optimization, select this option to avoid potential port conflicts. This is the default.
    • Allow Custom: Activates the custom protocols and services you select for this self IP address using the expanded custom list options.
    • Allow Custom (include Default): Activates the default protocols and services as well as the custom protocols and services you select for this self IP address using the expanded custom list options.
    Floating Specifies whether the self IP is floating. This is determined by the value of the Traffic Group property.
    Traffic Group Specifies the traffic group to associate with the self IP. Whether the self IP address can inherit the traffic group is set on the BIG-IP device and is only readable on the BIG-IQ system.
  4. Click Save to save your changes as you go.
  5. When finished, click Save and Close to save changes, release the lock, and exit the screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)