Manual Chapter : Platform Properties

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP Analytics

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP Link Controller

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP LTM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP PEM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP AFM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP DNS

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

  • BIG-IP ASM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

back-action BIG-IP System: Essentials

Updated Date: 04/21/2026

Platform Properties

Part of managing a BIG-IP system involves configuring and maintaining a certain set of system properties. These properties consist of general platform properties, such as the BIG-IP system host name, IP address, and passwords for its system administrative accounts.

You can configure these general properties for the BIG-IP system platform:

The management port and TMM
The BIG-IP system has a management port to handle administrative traffic, and TMM switch interfaces to handle application traffic. TMM switch interfaces are those interfaces controlled by the Traffic Management Microkernel (TMM) service.
Management port configuration
By default, DHCP is disabled for the management port on the BIG-IP system. When enabled, DHCP uses UDP ports 67 and 68. On the first boot, the BIG-IP system contacts your DHCP server and obtains a lease for an IPv4 address and default route for the management port, and DNS and NTP servers. You must then configure other system attributes, such as host name and domain name servers. When DHCP is disabled, you can manually assign two IP addresses (and their netmasks) to the management port: an IPv4 address, and optionally, an IPv6 address. The IP addresses that you assign to the management port must be on a different network than the self IP addresses that you assign to VLANs. Additionally, if you intend to manage the BIG-IP system from a node on a different subnet of your network, you can specify both an IPv4 and an IPv6 address for the BIG-IP system to use as default routes to the management port. If you manually assign both an IPv4 and IPv6 address to the management port and then enable DHCP later, the BIG-IP system removes the manually-configured IPv4 address and retains the manually-configured IPv6 address; the manually-configured IPv6 address can co-exist with a dynamically-assigned IPv4 address.

Note: If you do not have a DHCP server on your network, the BIG-IP system assigns a default IP address of 192.168.1.245 to the management port of appliances and virtual systems, and 192.186.1.246 to the management port of VIPRION® systems.

Host name
Every BIG-IP system must have a host name that is a fully qualified domain name (FQDN). An example of a host name is bigip-02.win.net.
Host IP address
Every BIG-IP system must have a host IP address. This IP address can be the same as the address that you used for the management port, or you can assign a unique address. The default value on the screen for this setting is Use Management Port IP Address.
Time zone
Another of the general platform properties that you can specify is the time zone. The many time zones that you can choose from are grouped into these categories: Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, and Pacific. You should specify the time zone region that most closely represents the location of the BIG-IP system you are configuring.

A BIG-IP system is typically part of a device group that synchronizes configuration data across two or more BIG-IP devices and provides high availability (failover and connection mirroring).

To ensure that this operates successfully, you assign a device group (to the root folder) to which you want to synchronize configuration data. All folders and sub-folders in the folder hierarchy inherit this device group as a folder attribute.

You also assign a floating traffic group to the root folder. All folders and sub-folders in the folder hierarchy inherit this traffic group as a folder attribute.

Part of managing platform-related properties is maintaining passwords for the system account. You can also configure the system to allow certain IP addresses to access the BIG-IP system through SSH.

When you ran the Setup utility on the BIG-IP system, you set up some administrative accounts. Specifically, you set up the root and admin accounts. The root and admin accounts are for use by BIG-IP system administrators.

Users logging in with the root account have terminal and browser access to the BIG-IP system. By default, users logging in with the admin account have browser-only access to the BIG-IP system. You can use the general screen for platform properties to change the passwords for root and admin accounts on a regular basis. To change a password, locate the Root Account or Admin Account setting, and in the Password field, type a new password. In the Confirm field, re-type the same password.

When you configure SSH access, you enable user access to the BIG-IP system through SSH. Also, only the IP addresses that you specify are allowed access to the system using SSH.

You can use the Configuration utility to configure the platform properties of the BIG-IP system.

  1. On the Main tab, click System > Platform.

    The Platform screen opens.

  2. In the General Properties area, for the Management Port Configuration setting, select either Automatic (DHCP) or Manual.

  3. If you chose Manual in the previous step, then in the Management Port 1 field, type an IPv4 or IPv6 address. Otherwise, skip this step.

  4. If you typed an IPv4 address in the previous step, and you want to specify a second, alternate management address, then in the Management Port 2 field, type an IPv6 address. Otherwise, skip this step.

  5. If the device is already a member of a Sync-Failover device group, then in the Redundant Device Properties area, for the Root Folder Traffic Group setting, select a device group to which you want to synchronize configuration data.

  6. Configure the root and admin account passwords:

    1. In the User Administration area, for the Root Account setting, type a new password in the Password field and re-type the new password in the Confirm field.

    2. For the Admin Account setting, type a new password in the Password field and re-type the new password in the Confirm field. Enable the Allow lockout of admin account check box to lock the admin account after a specified number of unsuccessful password attempts. This account lockout feature restricts the admin from accessing the network for a certain duration, even if the correct password is entered.

  7. Configure SSH access to the BIG-IP system:

    1. In the User Administration area, select the Enabled check box for the SSH Access setting.

    2. For the SSH IP Allow setting, select either * All Addresses or Specify Range, which enables you to specify a range of addresses for which access is allowed.

  8. Click Update.

With every user login there is a TMSH or BASH session created, and with many concurrent users login the BIP-IP can run out of memory. Limit the number of concurrent SSH connections to mitigate the possibility of BIG-IP running out of memory. The limitation is only applicable to the management port and is not applicable to the SSH Proxy in data plane of BIG-IP. No limitation is applied by default, enable the SSH connections limit using Enabling SSH connections limit.

Enable session timeout on the TMSH or BASH to make sure that the inactive or idle connections are terminated. Use the following commands to modify session timeout:

modify sys sshd inactivity-timeout *<value\_in\_seconds>*
modify cli global-settings idle-timeout *<value\_in\_minutes>*

  1. Enable concurrent SSH connections limit.

    • Enable limit for all users except root or admin.

      modify sys global-settings ssh-session-limit *<enable/disable>*

    • Enable limit for root or admin users.

      modify sys global-settings ssh-root-session-limit *<enable/disable*

The concurrent SSH connections limit is enabled with maximum 10 sessions.

Modify the SSH connections limit using Modifying SSH connections limit default values.

For remote users, the RADIUS or TACACS server is provided with vendor attribute F5-LTM-User-SSH-Limit with a value to limit the number of SSH connections.

The aggregate total SSH connections of all the users is always controlled by ssh-max-session-limit.

  1. Modify the maximum concurrent SSH connections limit.

    • Modify the limit for all users.

      modify sys global-settings ssh-max-session-limit *<value>*

      Note: The default maximum concurrent SSH connections limit is 10.

    • Modify the limit for a single user.

      modify sys global-settings ssh-max-session-limit-per-user *<value>*

    • Modify the limit for a specific user.

      auth user *<user>* session-limit *<value>*

The concurrent SSH connections limit is updated.

When you configure a network firewall management port rule, you enable only specified IP or web network addresses to access the BIG-IP management port.

Note: This feature is available only when BIG-IP Advanced Firewall Manager (AFM) is not licensed and provisioned.

You can use the Configuration utility to add a management port firewall rule or policy for your BIG-IP system.

  1. On the Main tab, click System > Platform.

    The Platform screen opens.

  2. Click the Security tab.

    Any configured management port firewall rules display in the Policy Settings area.

  3. Click Add.

  4. In the Rule Properties area, for the Name setting, type a name for the firewall rule.

  5. For the Description setting, type descriptive text that identifies the firewall rule.

  6. From the Order list, select the order in which this rule is processed.

  7. From the State list, select the activity state of the rule. The default value is Enabled, which indicates that the system applies the firewall rule to the given context and address.

  8. From the Protocol list, select the protocol to which the rule applies. The default value is Any.

  9. From the Source Address/Region list, select the packet sources to which the rule applies. The default value is Any, which indicates that the rule applies to all addresses and ports.

  10. Click Update.

You can use the Configuration utility to view existing management port firewall rules for your BIG-IP system.

  1. On the Main tab, click System > Platform.

    The Platform screen opens.

  2. Click the Security tab.

    Any configured management port firewall rules display in the Policy Settings area.