DescriptionUsing a virtual forwarding server in a large network in combination with All VLANs would short circuit networks behind the load balancer and this is not ideal in terms of security. Indeni will alert if this configuration is used.
Remediation StepsVerify that the configuration is intentional. If not, create forwarding servers for each VLAN listening on the egress VLAN, and one forwarding server listening on all VLANs except the egress VLANs. This way you allow traffic to pass through the load balancer without short circuiting the VLANs behind it.
Note: A change window is highly recommended as there may be impact to the environment. More information about virtual forwarding servers can be found here: https://support.f5.com/csp/article/K7595
This alert was added per the request of Patrik Jonsson.
How does this work?This alert uses the iControl REST interface to extract any virtual forwarding servers listening to all destinations and on all VLANs.
Why is this important?It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.
Without Indeni how would you find this?Login to the device's web interface and click on "Local Traffic" and then "Virtual servers". For each of the Virtual Servers, verify if it is listening to any destination and on all VLANs.
View Source Code