Frequently Asked Questions
F5 FAQ
- How do you reset Analytics on BIG-IP
SSH into F5 BIG-IP command line
Create the /var/avr/init_avrdb file by running the following command
touch /var/avr/init_avrdb
Restart the monpd process by running this command
tmsh restart /sys service monpd
NOTE: it may take a second or two to fully restart the monpd service
- How does the port lockdown behavior work?
The port lockdown feature allows you to secure the BIG-IP system from unwanted connection attempts by controlling the level of access to each self IP address defined on the system. Each port lockdown list setting, defined later in this document, specifies the protocols and services from which a self IP can accept connections. The system refuses traffic and connections made to a service or protocol port that is not on the list.
Port lockdown exceptions
TCP mirroring ports: The BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. The BIG-IP system allows TCP ports 1029 through 1155.
TCP port 4353: When BIG-IP devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353 on the self IP address, regardless of the port lockdown settings.
Note: CMI uses the same port as iQuery tcp:4353 but is independent of iQuery and the port configuration options available for the port. Because :4353 traffic is always permitted to the configured ConfigSync IP address, this also allows iQuery traffic (if iQuery is configured to connect to the ConfigSync IP address). In all other cases, in order for iQuery to be able to connect, you must specifically permit tcp/4353 in the port lockdown settings.
ICMP: Internet Control Message Protocol (ICMP) traffic to the self IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
Defined Virtual Severs override port lockdown setting for the traffic that they service.
Note: In most cases, it is not possible to ping self IP addresses across VLANs.
You can determine the default supported protocols and services by using the following command:
tmsh list net self-allow