Port Lockdown controls which ports and protocols aSelf IPwill respond to.
However, certain traffic types bypass Port Lockdown for BIG-IP functionality and routing integrity.
The three types that areNOT affectedby Port Lockdown are:
1. Defined Virtual Server Traffic
Traffic destined to a Self IP that matches aconfigured virtual serveris always accepted by the BIG-IP, regardless of Port Lockdown settings.
This ensures that traffic processing does not break when administrators restrict Self-IP ports.
2. ICMP (Internet Control Message Protocol)
ICMP (such as ping, traceroute responses, etc.) always passes through a Self IP even when Port Lockdown is set to:
Allow Default
Allow None
Allow Custom
F5 allows ICMP for reachability and diagnostic purposes independent of Port Lockdown rules.
3. Centralized Management Infrastructure (CMI)
CMI includes the internal HA services used for:
Device Trust
ConfigSync
Failover
Mirroring
These essential HA communications bypass Port Lockdown to prevent accidental cluster failure.
The well-known port for this traffic isTCP 4353, which is always permitted.
Why the other options are incorrect:
Option A:SSHisrestricted by Port Lockdown unless explicitly allowed.
Option B:Same issue — SSH does not bypass Port Lockdown.
OnlyDefined VS Traffic,ICMP, andCMIbypass Port Lockdown.
