Manual Chapter :
Platform Properties
Applies To:
Show VersionsBIG-IP AAM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP APM
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP Analytics
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP Link Controller
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP LTM
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP PEM
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP AFM
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP DNS
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
BIG-IP ASM
- 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Platform Properties
About platform properties
Part of managing a BIG-IP system involves configuring and
maintaining a certain set of system properties. These properties consist of
general platform properties, such as the BIG-IP system host name, IP address,
and passwords for its system administrative accounts.
About general properties
You can configure these general properties for the BIG-IP
system platform:
- The management port and TMM
- The BIG-IP system has a management port to handle administrative traffic, and TMM switch interfaces to handle application traffic.TMM switch interfacesare those interfaces controlled by the Traffic Management Microkernel (TMM) service.
- Management port configuration
- By default, DHCP is disabled for the management port on the BIG-IP system. When enabled, DHCP uses UDP ports67and68. On the first boot, the BIG-IP system contacts your DHCP server and obtains a lease for an IPv4 address and default route for the management port, and DNS and NTP servers. You must then configure other system attributes, such as host name and domain name servers. When DHCP is disabled, you can manually assign two IP addresses (and their netmasks) to the management port: an IPv4 address, and optionally, an IPv6 address. The IP addresses that you assign to the management port must be on a different network than the self IP addresses that you assign to VLANs. Additionally, if you intend to manage the BIG-IP system from a node on a different subnet of your network, you can specify both an IPv4 and an IPv6 address for the BIG-IP system to use as default routes to the management port. If you manually assign both an IPv4 and IPv6 address to the management port and then enable DHCP later, the BIG-IP system removes the manually-configured IPv4 address and retains the manually-configured IPv6 address; the manually-configured IPv6 address can co-exist with a dynamically-assigned IPv4 address.If you do not have a DHCP server on your network, the BIG-IP system assigns a default IP address of192.168.1.245to the management port of appliances and virtual systems, and192.186.1.246to the management port of VIPRION® systems.
- Host name
- Every BIG-IP system must have a host name that is a fully qualified domain name (FQDN). An example of a host name isbigip-02.win.net.
- Host IP address
- Every BIG-IP system must have a host IP address. This IP address can be the same as the address that you used for the management port, or you can assign a unique address. The default value on the screen for this setting isUse Management Port IP Address.
- Time zone
- Another of the general platform properties that you can specify is the time zone. The many time zones that you can choose from are grouped into these categories: Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, and Pacific. You should specify the time zone region that most closely represents the location of the BIG-IP system you are configuring.
About redundant device properties
A BIG-IP system is typically part of a device group that
synchronizes configuration data across two or more BIG-IP devices and provides
high availability (failover and connection mirroring).
To ensure that this operates successfully, you assign a device group (to the
root
folder) to which you want to synchronize
configuration data. All folders and sub-folders in the folder hierarchy
inherit this device group as a folder attribute.You also assign a floating traffic group to the
root
folder. All folders and sub-folders in the folder hierarchy inherit this
traffic group as a folder attribute.About user administration properties
Part of managing platform-related properties is maintaining passwords for the
system account. You can also configure the system to allow certain IP
addresses to access the BIG-IP system through SSH.
About administrative account passwords
When you ran the Setup utility on the BIG-IP system, you
set up some administrative accounts. Specifically, you set up the
root
and admin
accounts. The
root
and admin
accounts are
for use by BIG-IP system administrators.Users logging in with the
root
account have terminal and
browser access to the BIG-IP system. By default, users logging in with the
admin
account have browser-only access to the
BIG-IP system. You can use the general screen for platform properties to
change the passwords for root
and
admin
accounts on a regular basis. To change a
password, locate the Root Account
or Admin
Account
setting, and in the Password
field, type a new password. In the Confirm
field,
re-type the same password.About SSH access configuration
When you configure SSH access, you enable user access to the BIG-IP system through SSH. Also, only the IP
addresses that you specify are allowed access to the system using SSH.
Configure platform
properties
You can use the Configuration utility to
configure the platform properties of the BIG-IP system.
- On the Main tab, click.The Platform screen opens.
- In the General Properties area, for theManagement Port Configurationsetting, select eitherAutomatic (DHCP)orManual.
- If you choseManualin the previous step, then in theManagement Port 1field, type an IPv4 or IPv6 address. Otherwise, skip this step.
- If you typed an IPv4 address in the previous step, and you want to specify a second, alternate management address, then in theManagement Port 2field, type an IPv6 address. Otherwise, skip this step.
- If the device is already a member of a Sync-Failover device group, then in the Redundant Device Properties area, for theRoot Folder Traffic Groupsetting, select a device group to which you want to synchronize configuration data.
- Configure the root and admin account passwords:
- In the User Administration area, for theRoot Accountsetting, type a new password in thePasswordfield and re-type the new password in theConfirmfield.
- For theAdmin Accountsetting, type a new password in thePasswordfield and re-type the new password in theConfirmfield. Enable theAllow lockout of admin accountcheck box to lock the admin account after a specified number of unsuccessful password attempts. This account lockout feature restricts the admin from accessing the network for a certain duration, even if the correct password is entered.
- Configure SSH access to the BIG-IP system:
- In the User Administration area, select theEnabledcheck box for theSSH Accesssetting.
- For theSSH IP Allowsetting, select either* All AddressesorSpecify Range, which enables you to specify a range of addresses for which access is allowed.
- ClickUpdate.
About management port security settings
When you configure a network firewall management port rule, you enable
only specified IP or web network addresses to access the BIG-IP management port.
This feature is available only when BIG-IP Advanced
Firewall Manager (AFM) is not licensed and provisioned.
Add a management
port firewall rule
You can use the Configuration utility to add
a management port firewall rule or policy for your BIG-IP system.
- On the Main tab, click.The Platform screen opens.
- Click theSecuritytab.Any configured management port firewall rules display in the Policy Settings area.
- ClickAdd.
- In the Rule Properties area, for theNamesetting, type a name for the firewall rule.
- For theDescriptionsetting, type descriptive text that identifies the firewall rule.
- From theOrderlist, select the order in which this rule is processed.
- From theStatelist, select the activity state of the rule. The default value is Enabled, which indicates that the system applies the firewall rule to the given context and address.
- From theProtocollist, select the protocol to which the rule applies. The default value is Any.
- From the Source Address/Region list, select the packet sources to which the rule applies. The default value is Any, which indicates that the rule applies to all addresses and ports.
- ClickUpdate.
View management
port firewall rules
You can use the Configuration utility to view
existing management port firewall rules for your BIG-IP system.
- On the Main tab, click.The Platform screen opens.
- Click theSecuritytab.Any configured management port firewall rules display in the Policy Settings area.