KB

The port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Each port lockdown list setting, defined later in this document, specifies the protocols and services from which a self IP can accept connections. The system refuses traffic and connections made to a service or protocol port that is not on the list.

Port lockdown exceptions

TCP mirroring ports: The BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. The BIG-IP system allows TCP ports 1029 through 1155.

TCP port 4353: When BIG-IP devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353 on the self IP address, regardless of the port lockdown settings.

Note: CMI uses the same port as iQuery tcp:4353 but is independent of iQuery and the port configuration options available for the port. Because :4353 traffic is always permitted to the configured ConfigSync IP address, this also allows iQuery traffic (if iQuery is configured to connect to the ConfigSync IP address). In all other cases, in order for iQuery to be able to connect, you must specifically permit tcp/4353 in the port lockdown settings.

ICMP: Internet Control Message Protocol (ICMP) traffic to the self IP address is not affected by the port lockdown list and is implicitly allowed in all cases.

Defined Virtual Severs override port lockdown setting for the traffic that they service.

Note: In most cases, it is not possible to ping self IP addresses across VLANs.

You can determine the default supported protocols and services by using the following command:

tmsh list net self-allow

SSH into F5 BIG-IP command line

Create the /var/avr/init_avrdb file by running the following command

touch /var/avr/init_avrdb

Restart the monpd process by running this command

tmsh restart /sys service monpd

NOTE: it may take a second or two to fully restart the monpd service

1XX – INFORMATIONAL (the request was received, continuing process. This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line)

2XX – SUCCESS (the request was successfully received, understood, and accepted. This class of status code indicates that the client’s request was successfully received, understood, and accepted)

3XX – REDIRECTION (further action needs to be taken in order to complete the request. This class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request)

4XX – CLIENT ERROR (the request contains bad syntax or cannot be fulfilled. The 4xx class of status code is intended for cases in which the client seems to h ave erred.)

5XX – SERVER ERROR (the server failed to fulfil a valid request. Response status codes beginning with the digit “5” indicate cases in which the server is aware that it has erred or is incapable of performing the request)

100 – Continue (Indicates the initial part of a request has been received, and the client should continue sending the remainder.)

101 – Switching Protocols (The server is switching protocols in an upgrade header, such as upgrading from HTTP to WebSockets. The client should use the new protocol in the future.)

102 – Processing (Indicates the server has received and is processing the request, but no response is available yet.)

103 – Early Hints (Used to return some response headers before the complete response. This allows the client to start preloading resources while the server is still preparing the full response.)

200 – OK (The request succeeded, and the server sent back a response. This is the standard response for successful requests.)

201 – Created (The request succeeded, and a new resource was created as a result. This is typically the response sent after a PUT request.)

202 – Accepted (The request has been accepted for processing, but the processing still needs to be completed. The request may or may not eventually be acted upon.)

203 – Non-Authoritative Information (The returned metadata in the response is from a local or third-party copy, not from the original server. This is used for mirroring or caching situations.)

204 – No Content (The server successfully processed the request, but there is no content to return in the response payload body.)

205 – Reset Condition (This tells the client to reset the document view so that the next page load will be a complete refresh. Used when a previous response sent down content, such as JavaScript, that needs to be cleared.)

206 – Partial Content (Indicates a partial response, typically used in response to a byte range request. The response headers will indicate the byte range included in the response.)

207 – Multi-Status (WebDAV) (Used in response to an HTTP bulk request to indicate multiple status codes for different parts of the request.)

208 – Already Reported (WebDAV) (Used inside a dav:propstat response element to avoid sending duplicate error messages.)

226 – IM Used (HTTP Delta Encoding) (The server has fulfilled a GET request, and the response is a representation of the result of one or more instance manipulations on the current instance.)

300 – Multiple Choices (Provides a list of alternate resources for the request, such as human languages for translation when the client requests a negotiation.)

301 – Moved Permanently (The requested page has been permanently moved to a new URL. The client should use the new URL for future requests.)

302 – Found (Indicates the resource was temporarily moved or relocated to a new URL. Clients should continue to use the original URL for future requests.)

303 – See Other (Returns a reference to a different URI. Clients should use the new URI in the future. Similar to 301, but the original URI should still be considered valid.)

304 – Not Modified (Indicates the resource has yet to be modified since the specified date. Used to reduce network traffic when caching resources.)

305 – Use Proxy (Specifies the requested resource must be accessed through a proxy at the specified URL.)

306 – Unused (No longer used. Originally meant to specify a subsequent request, it should use the specified proxy.)

307 – Temporary Redirect (Temporarily redirects the request to a different URL. Similar usage to 302, except requests should not change to the new URL.)

308 – Permanent Redirect (Permanently redirects the request to a different URL. Similar usage to 301, except requests should not change to the new URL.)

400 – Bad Request (The server cannot process the request due to malformed syntax or invalid request message framing.)

401 – Unauthorized (Indicates the request requires user authentication. The client may repeat the request with the proper authorization credentials.)

402 – Payment Required (Reserved for future use indicates the client must make a payment to access the requested resource.)

403 – Forbidden (The client does not have permission to access this resource, even with authentication. Authorization will not help, and the request should not be repeated.)

404 – Not Found (The server cannot find the requested resource. This indicates the URL does not map to anything on the server.)

405 – Method Not Allowed (The HTTP method in the request is known by the server but has been disabled or is not allowed for the requested resource.)

406 – Not Acceptable (The resource can only generate responses that the client does not accept according to the Accept headers sent in the request.)

407 – Proxy Authentication Required (Similar to 401, it indicates the client must authenticate with a proxy server before the proxy will forward the request.)

408 – Request Timeout (Indicates the server timed out waiting for a request from the client after a certain period. The client can choose to repeat the request at a later time.)

409 – Conflict (Indicates a conflict or invalid state, meaning the request could not be completed. Usually returned in response to a PUT or other non-idempotent request.)

410 – Gone (Indicates the requested resource is no longer available at the requested URL, and no forwarding address is known. The client should not attempt to resubmit the request.)

411 – Length Required (The server refuses to accept the request without a defined Content-Length header.)

412 – Precondition Failed (The client specified one or more preconditions in the headers, which the server does not meet.)

413 – Payload Too Large (The request payload size exceeds the server’s limit.)

414 – URI Too Large (The requested URL exceeds the server’s limit for length.)

415 – Unsupported Media Type (The media format of the submitted data is not supported by the requested resource.)

416 – Range Not Satisfied (The requested byte range is invalid or unsatisfiable. The headers may contain the satisfiable ranges.)

417 – Exception Failed (The expectation given in the Expect header could not be fulfilled by the server.)

418 – I’m a teapot (Any attempt to brew coffee with a teapot should result in this error code.)

421 – Misdirected Request (The request was directed at a server that cannot produce a response. This can be sent by a server that is not configured to produce responses for the combination of scheme and authority in the request URI.)

422 – Unprocessable Entity (WebDAV) (The request was formatted correctly but cannot be processed in its current form. It is often used when the specified parameters fail validation errors.)

423 – Locked (WebDAV) (The resource being accessed is locked.)

424 – Failed Dependency (WebDAV) (The request failed due to a failure of a previous request.)

425 – Too Early (Indicates the server is unwilling to perform the request, such as a request to renew an expiring resource, because it is too early from a security perspective.)

426 – Upgrade Required (The server refuses to perform the request using the current protocol but may respond if upgraded to a different protocol. Sent by a server to promote HTTP/2 over HTTP/1.1.)

428 – Precondition Required (The server requires a conditional header like If-Match or If-Unmodified-Since to be present to ensure the correct client is making the request. This protects against unauthorized uploads or updates and helps prevent duplicate simultaneous updates.)

429 – Too Many Requests (The user has sent too many requests in a given amount of time. It is intended to avoid denial-of-service attacks.)

431 – Request Header Fields Too Large (The server refuses to process the request because the header fields are too large. The request may be resubmitted with smaller headers.)

451 – Unavailable for Legal Reasons (The server cannot provide access to the resource because of legal restrictions imposed on it.)

499 – Client Closed Request 

500 – Internal Server Error (A generic error message indicating an unexpected server error.)

501 – Not implemented (The server still needs to support the requested functionality.)

502 – Bad Gateway (The server received an invalid response from an upstream server it accessed to serve the request.)

503 – Service Unavailable (The server is currently unable to handle the request, usually due to high load or maintenance.)

504 – Gateway Timeout (The upstream server that was accessed to serve the request failed to respond in time.)

505 – HTTP Version Not Supported (The server does not support the HTTP protocol version used in the request.)

506 – Variant Also Negotiates (The server has an internal configuration error, causing the request to be internally forwarded to a different server, causing a negotiation loop.)

507 – Insufficient Storage (WebDAV) (The server cannot store the representation needed to complete the request.)

508 – Loop Detected (WebDAV) (The server detected an infinite loop in the request.)

510 – Not Extended (Further extensions to the request are required for the server to fulfill it.)

511 – Network Authentication Required (The client needs to authenticate the network first. Intended for use by intercepting proxies.)

599 – Network Connect Timeout Error ( )