Config-sync over management interface – while not a best practice – can be a handy thing to have, whether that is because of a lack of interfaces, switch capacity or other reason.
This has cropped up for me in a refresh / migration project where interfaces were changed out for fibre and didn’t come up immediately. This allowed us to sync the machines and configure failover before attending to the interface issue ..
Best practices for f5 High Availability configuration can be found here.
The management interface will not show up by default under the config-sync tab:
this has to be enabled using the following commands:
tmsh modify sys db configsync.allowmanagement value enable tmsh save sys config
Refresh the page and we can now choose to run the management interface:
This article walks through how to configure an f5 default gateway for your internal (or external!) machines.
Often, SNAT automap, a SNAT address or SNAT pool is used to essentially “hide NAT” the incoming packet behind the BigIP which will mean that the server will reply directly back to it; this doesn’t work or isn’t wanted for some environments though.
If the packet is passed through the f5 and still contains its original (internet routable) client source IP then the back-end server will send its reply to the default gateway and if this *isn’t* the BigIP then we will have asymmetric routing which is never pleasant at the best of times. This is therefore an example scenario where using the f5 as a default gateway would be convenient.
This is actually a “Forwarding (IP)” Virtual Server which will listen on all Self IPs but you can (and most certainly should) lock this down on a VLAN basis for security.
Name your virtual server, in this case “s_gateway”
Specify a source address – this is optional but if you leave it blank it will default to 0.0.0.0/0 meaning it will accept connections from ALL IP addresses whether internal or external. As this is a MAJOR SECURITY RISK you should lock it down to the subnets you want to accept connections from, in this case we have used “10.5.5.0/24” – connections from all other address ranges will be silently dropped
Destination – you can lock this down to a specific network but for a default gateway we want to allow everything so this is “0.0.0.0/0”
Set ports to “*” to accept connections to any port.
Unless you only wat to allow TCP & UDP, drop the Protocol menu down and choose “All Protocols”
Select the VLANs you want to enable this on (optional)
Enable SNAT Automap – this essentially hides connections behind the BigIP -you could also use a SNAT pool or address