Network Administration - Chathura Ariyadasa (He/Him/His)

How to disable SSL and TLSv1&1.1 on F5 LTM for VMware iApp

Due to the cybersecurity compliance requirements, we had to disable insecure SSL and TLS protocol versions. Our infrastructure consists of VMware multi-tenants and F5 LTM as the ADC (Application Delivery Controller). Since the UAGs (Unified Access Gateway) sit behind the F5 LTM, the configuration changes need to be done at the F5 ADC. 

There was no proper article written specifically for this purpose. So, I thought of sharing this with the community. Let’s look at the steps involved in the configuration change. 

  • From the configuration utility, navigate to Local Traffic > Profiles > SSL > Client
  • Select the Client SSL profile used in the virtual server, and then change to Advanced

  • We need to change 2 fields (Cipers and Enabled Options)
  • Under the Ciphers, select Cipher Suites
  • In Cipher Suites, you need to change the value to DEFAULT:!RC4:!MEDIUM:@STRENGTH
  • Then, under the Enabled Options select only No TLSv1.3, No TLSv1.1, and No TLSv1 (refer to the below image)

  • Once you confirm the values, you may save the changes and test the access. 
  • If you need to confirm the security settings and collect evidence, you can simply test the URL with ssllabs

How to copy an Image file to another network device

In general, we copy/upload IOS image files to either flash or bootflash from a TFTP server. In case of timeouts or network delays with the TFTP server, we could use either USB or Memory Slots in order to copy image files to a network device. Once you are done copying the image to flash/bootflash, we can simply configure the network device itself as a TFTP server and can be used to copy image files across other devices. 

NOTE: Please make sure all the devices are in the same subnet 

In our example, we have used 2 Routers. Router 01 is preloaded with the Image files and will be configured as the TFTP server. Router 02 will be the TFTP client. 

Step 01: Make sure, the image file is already copied to the file location (flash or bootflash)

# show bootflash:

Step 02: Configure the Router as a TFTP server. And then assign the relevant image file

(config)# tftp-server bootflash:/“imagename”

Step 03: Log into Router 02 and copy the Image file from the TFTP server (Router 01)

#copy tftp bootflash:

 

[source: Cisco KB]