TCP port 1028: In BIG-IP 11.0.0 – 11.3.0 redundant pair configurations, the system allows tcp:1028 for connection and persistence mirroring, regardless of the port lockdown settings.
TCP port 1029 – 1043: Beginning in BIG-IP 11.4.0, the BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. By default, the BIG-IP system allows TCP ports 1029-1043. For more information, refer to SOL14894: The BIG-IP system establishes a separate mirroring channel for each traffic group.
TCP port 4353: When BIG-IP 11.0.0 and later devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353, regardless of the port lockdown settings.
Note: CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port.
ICMP: ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
Note: In most cases, it is not possible to ping self IP addresses across Virtual Local Area Networks (VLANs). For more information, refer to SOL3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address.
This option allows access for a pre-defined set of network protocols and services that are typically required in a BIG-IP deployment.
The Allow Default setting specifies that connections to the self IP address are allowed from the following protocols and services:
This option specifies that all connections to the self IP address are allowed, regardless of protocol or service.
This option specifies that no connections are allowed on the self IP address, regardless of protocol or service.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system.
This option allows you to specify the protocols and services for which connections are allowed on the self IP address.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system
Using the Configuration utility to modify port lockdown settings for a specific self IP
Log in to the Configuration utility.
Navigate to Network > Self IPs.
Click the relevant self IP address.
From the Port Lockdown box, select the desired setting.
Using the tmsh utility to modify port lockdown settings
#modify /net self 10.10.10.1 allow-service default
#save sys config