Manual Chapter : Platform Properties

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP Analytics

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP Link Controller

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP DNS

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Platform Properties

About platform properties

Part of managing a BIG-IP system involves configuring and maintaining a certain set of system properties. These properties consist of general platform properties, such as the BIG-IP system host name, IP address, and passwords for its system administrative accounts.

About general properties

You can configure these general properties for the BIG-IP system platform:
The management port and TMM
The BIG-IP system has a management port to handle administrative traffic, and TMM switch interfaces to handle application traffic.
TMM switch interfaces
are those interfaces controlled by the Traffic Management Microkernel (TMM) service.
Management port configuration
By default, DHCP is disabled for the management port on the BIG-IP system. When enabled, DHCP uses UDP ports
67
and
68
. On the first boot, the BIG-IP system contacts your DHCP server and obtains a lease for an IPv4 address and default route for the management port, and DNS and NTP servers. You must then configure other system attributes, such as host name and domain name servers. When DHCP is disabled, you can manually assign two IP addresses (and their netmasks) to the management port: an IPv4 address, and optionally, an IPv6 address. The IP addresses that you assign to the management port must be on a different network than the self IP addresses that you assign to VLANs. Additionally, if you intend to manage the BIG-IP system from a node on a different subnet of your network, you can specify both an IPv4 and an IPv6 address for the BIG-IP system to use as default routes to the management port. If you manually assign both an IPv4 and IPv6 address to the management port and then enable DHCP later, the BIG-IP system removes the manually-configured IPv4 address and retains the manually-configured IPv6 address; the manually-configured IPv6 address can co-exist with a dynamically-assigned IPv4 address.
If you do not have a DHCP server on your network, the BIG-IP system assigns a default IP address of
192.168.1.245
to the management port of appliances and virtual systems, and
192.186.1.246
to the management port of VIPRION® systems.
Host name
Every BIG-IP system must have a host name that is a fully qualified domain name (FQDN). An example of a host name is
bigip-02.win.net
.
Host IP address
Every BIG-IP system must have a host IP address. This IP address can be the same as the address that you used for the management port, or you can assign a unique address. The default value on the screen for this setting is
Use Management Port IP Address
.
Time zone
Another of the general platform properties that you can specify is the time zone. The many time zones that you can choose from are grouped into these categories: Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, and Pacific. You should specify the time zone region that most closely represents the location of the BIG-IP system you are configuring.

About redundant device properties

A BIG-IP system is typically part of a device group that synchronizes configuration data across two or more BIG-IP devices and provides high availability (failover and connection mirroring).
To ensure that this operates successfully, you assign a device group (to the
root
folder) to which you want to synchronize configuration data. All folders and sub-folders in the folder hierarchy inherit this device group as a folder attribute.
You also assign a floating traffic group to the
root
folder. All folders and sub-folders in the folder hierarchy inherit this traffic group as a folder attribute.

About user administration properties

Part of managing platform-related properties is maintaining passwords for the system account. You can also configure the system to allow certain IP addresses to access the BIG-IP system through SSH.

About administrative account passwords

When you ran the Setup utility on the BIG-IP system, you set up some administrative accounts. Specifically, you set up the
root
and
admin
accounts. The
root
and
admin
accounts are for use by BIG-IP system administrators.
Users logging in with the
root
account have terminal and browser access to the BIG-IP system. By default, users logging in with the
admin
account have browser-only access to the BIG-IP system. You can use the general screen for platform properties to change the passwords for
root
and
admin
accounts on a regular basis. To change a password, locate the
Root Account
or
Admin Account
setting, and in the
Password
field, type a new password. In the
Confirm
field, re-type the same password.

About SSH access configuration

When you configure SSH access, you enable user access to the BIG-IP system through SSH. Also, only the IP addresses that you specify are allowed access to the system using SSH.

Configure platform properties

You can use the Configuration utility to configure the platform properties of the BIG-IP system.
  1. On the Main tab, click
    System
    Platform
    .
    The Platform screen opens.
  2. In the General Properties area, for the
    Management Port Configuration
    setting, select either
    Automatic (DHCP)
    or
    Manual
    .
  3. If you chose
    Manual
    in the previous step, then in the
    Management Port 1
    field, type an IPv4 or IPv6 address. Otherwise, skip this step.
  4. If you typed an IPv4 address in the previous step, and you want to specify a second, alternate management address, then in the
    Management Port 2
    field, type an IPv6 address. Otherwise, skip this step.
  5. If the device is already a member of a Sync-Failover device group, then in the Redundant Device Properties area, for the
    Root Folder Traffic Group
    setting, select a device group to which you want to synchronize configuration data.
  6. Configure the root and admin account passwords:
    1. In the User Administration area, for the
      Root Account
      setting, type a new password in the
      Password
      field and re-type the new password in the
      Confirm
      field.
    2. For the
      Admin Account
      setting, type a new password in the
      Password
      field and re-type the new password in the
      Confirm
      field. Enable the
      Allow lockout of admin account
      check box to lock the admin account after a specified number of unsuccessful password attempts. This account lockout feature restricts the admin from accessing the network for a certain duration, even if the correct password is entered.
  7. Configure SSH access to the BIG-IP system:
    1. In the User Administration area, select the
      Enabled
      check box for the
      SSH Access
      setting.
    2. For the
      SSH IP Allow
      setting, select either
      * All Addresses
      or
      Specify Range
      , which enables you to specify a range of addresses for which access is allowed.
  8. Click
    Update
    .

About limiting concurrent SSH connections

With every user login there is a TMSH or BASH session created, and with many concurrent users login the BIP-IP can run out of memory. Limit the number of concurrent SSH connections to mitigate the possibility of BIG-IP running out of memory. The limitation is only applicable to the management port and is not applicable to the SSH Proxy in data plane of BIG-IP. No limitation is applied by default, enable the SSH connections limit using
Enabling SSH connections limit
.

Enabling SSH connections limit

Enable session timeout on the TMSH or BASH to make sure that the inactive or idle connections are terminated. Use the following commands to modify session timeout:
modify sys sshd inactivity-timeout
<value_in_seconds>
modify cli global-settings idle-timeout
<value_in_minutes>
  1. Enable concurrent SSH connections limit.
    • Enable limit for all users except root or admin.
      modify sys global-settings ssh-session-limit
      <enable/disable>
    • Enable limit for root or admin users.
      modify sys global-settings ssh-root-session-limit
      <enable/disable
The concurrent SSH connections limit is enabled with maximum 10 sessions.
Modify the SSH connections limit using
Modifying SSH connections limit default values
.

Modifying SSH connections limit default values

For remote users, the RADIUS or TACACS server is provided with vendor attribute 
F5-LTM-User-SSH-Limit
with a value to limit the number of SSH connections.
The aggregate total SSH connections of all the users is always controlled by
ssh-max-session-limit
.
  1. Modify the maximum concurrent SSH connections limit.
    • Modify the limit for all users.
      modify sys global-settings ssh-max-session-limit
      <value>
      The default maximum concurrent SSH connections limit is 10.
    • Modify the limit for a single user.
      modify sys global-settings ssh-max-session-limit-per-user
      <value>
    • Modify the limit for a specific user.
      auth user
      <user>
      session-limit
      <value>
The concurrent SSH connections limit is updated.

About management port security settings

When you configure a network firewall management port rule, you enable only specified IP or web network addresses to access the BIG-IP management port.
This feature is available only when BIG-IP Advanced Firewall Manager (AFM) is not licensed and provisioned.

Add a management port firewall rule

You can use the Configuration utility to add a management port firewall rule or policy for your BIG-IP system.
  1. On the Main tab, click
    System
    Platform
    .
    The Platform screen opens.
  2. Click the
    Security
    tab.
    Any configured management port firewall rules display in the Policy Settings area.
  3. Click
    Add
    .
  4. In the Rule Properties area, for the
    Name
    setting, type a name for the firewall rule.
  5. For the
    Description
    setting, type descriptive text that identifies the firewall rule.
  6. From the
    Order
    list, select the order in which this rule is processed.
  7. From the
    State
    list, select the activity state of the rule. The default value is Enabled, which indicates that the system applies the firewall rule to the given context and address.
  8. From the
    Protocol
    list, select the protocol to which the rule applies. The default value is Any.
  9. From the Source Address/Region list, select the packet sources to which the rule applies. The default value is Any, which indicates that the rule applies to all addresses and ports.
  10. Click
    Update
    .

View management port firewall rules

You can use the Configuration utility to view existing management port firewall rules for your BIG-IP system.
  1. On the Main tab, click
    System
    Platform
    .
    The Platform screen opens.
  2. Click the
    Security
    tab.
    Any configured management port firewall rules display in the Policy Settings area.