[BIG-IP] F5 安全的平台設定
#Step 01 – 增加本機防火牆
養成一個良好的安全習慣很重要,可以在遇到事件發生時影響到最小。
1 管理MGMT 防火牆
2 使用 packet filter BIG-IP 本機防火牆
create /net packet-filter block_source_UDP order 1 action discard rule "( proto UDP ) and ( src net 192.0.2.231 )"
create net packet-filter block_udp_UDP_Subnet order 1 action discard rule "( proto UDP ) and ( src net 192.0.2.0/24)"
封鎖 對 開啟 portlock down 的IP 保護
create net packet-filter Allow_DST_EXT_Self_IP_MGMT order 1 action discard rule "( proto TCP ) and ( src net 172.1.2.231 and src net 172.1.2.232 and dst net 172.1.2.233)"
create net packet-filter Allow_DST_INT_Self_IP_MGMT order 2 action discard rule "( proto TCP ) and ( src net 172.1.2.231 and src net 172.1.2.232 and dst net 172.1.2.233)"
create net packet-filter block_DST_EXT_Self_IP_MGMT order 3 action discard rule "( proto TCP ) and ( dst net 192.0.2.231 and dst net 192.0.2.232 and dst net 192.0.2.233)"
create net packet-filter block_DST_INT_Self_IP_MGMT order 4 action discard rule "( proto TCP ) and ( dst net 192.0.2.231 and dst net 192.0.2.232 and dst net 192.0.2.233)"
create /net packet-filter icmpdrop order 5 action discard rule "( proto ICMP ) and ( src net 10.10.0.0/20 )"
tmsh create net packet-filter Allow_MGMT_access_IP_OA_1 action accept order 6 rule "( ( ip proto TCP or ip6 proto TCP ) ) and ( src net 172.16.4.0/24 or src net 172.16.5.0/24 or src net 172.16.6.0/24 ) and ( dst host 172.16.4.166 ) and ( dst port 80 or dst port 443 or dst port 22 or dst port 4353 )" vlan MGMT
https://support.f5.com/csp/article/K13383
3 NTP 設定
新增
modify /sys ntp servers add {192.168.1.123 192.168.1.124}
移除
modify /sys ntp servers none
save /sys config
4 DNS 設定
新增
modify /sys dns name-servers add { 192.168.1.2 192.168.100.100 192.168.200.200 }
移除
modify /sys dns name-servers none
save /sys config
5 management-route 設定
tmsh create /sys management-route lognet network 10.10.10.0/255.255.255.0 gateway 172.16.1.254
tmsh create /sys management-route DNS_NTP network 192.168.1.0/255.255.255.0 gateway 172.16.1.254
tmsh save /sys config
6 management-ip 設定
create /sys management-ip 172.19.1.245/24
#########################
【維護公告】xx/xx(一)10:00-13:00 Oscarhome ADSL POP RouterOS 路由器IOS升級
事由:Oscarhome ADSL POP RouterOS 路由器IOS升級,維護時段為xx/xx(一)10:00-13:00,期間將會有2-3次15分鐘左右的中斷。
影響範圍:
1. VV city Core網路連線
xxx
xxx
xxx
2.SSL VPN連線
OA
RD
3.VPLS VPN連線
各外點
補充說明:
ooo_javawu_LAB 網路維運中心(NOC)
免付費電話 : 0800-xxx-xxx
電話:02-xxx-xxx
傳真:02-xxx-xxx
http://blog.javawu.idv.tw
E-mail:noc@javawu.idv.tw
# 查看库存储规则
> SHOW RETENTION POLICIES ON spider_record;
[out]:
name duration shardGroupDuration replicaN default
---- -------- ------------------ -------- -------
autogen 720h0m0s 168h0m0s 1 true
# 修改存储规则
> ALTER RETENTION POLICY autogen ON spider_record DURATION 720h;
# 设为默认
> ALTER RETENTION POLICY autogen ON spider_record DEFAULT;
# 删除规则
> drop retention POLICY rule_01 ON spider_record;
#创建规则
> CREATE RETENTION POLICY "rule_01" ON spider_record DURATION 360h REPLICATION 1;
> SHOW RETENTION POLICIES ON spider_record;
[out]
name duration shardGroupDuration replicaN default
---- -------- ------------------ -------- -------
autogen 0s 168h0m0s 1 true
rule_01 360h0m0s 24h0m0s 1 false
# 字段含义
name--名称,此示例名称为 autogen
duration--持续时间,0代表无限制
shardGroupDuration--shardGroup的存储时间,shardGroup是InfluxDB的一个基本储存结构,应该大于这个时间的数据在查询效率上应该有所降低。
replicaN--全称是REPLICATION,副本个数
default--是否是默认策略
沒有留言:
張貼留言