By default, AFM firewall is configured in ADC mode, which is a
default allow configuration. In ADC mode, all traffic is allowed through the firewall, and any
traffic you want to block must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite
system load-balances all traffic from the Internet to several internal servers. The
internal servers are:
Virtual servers
IP address
Network virtual server
70.168.15.0/24
Application virtual server
192.168.15.101
In order for traffic from the internal application virtual server to
reach the external network virtual server, you must create a VLAN and enable both internal
and external virtual servers on it. In this scenario, these VLANs are specified:
VLAN
Configuration
net_ext
Enabled on 70.168.15.0/24, 192.168.15.101
net_int
Includes pool members 10.10.1.10, 10.10.1.11
In this firewall configuration, there are three external
networks that require firewall policies:
Network
Policy
60.63.10.0/24
Allow all access
48.64.32.0/24
Allow all access
85.34.12.0/24
Deny all access
To set up this scenario, you configure firewall
rules specific to these networks. You will also configure a firewall
rule that denies all ICMP traffic, to prevent pinging of network devices.
ADC mode configuration scenario
Configuration settings for IPv6 pools and
ADC mode
In a standard configuration, IPv6 pools work with either ADC mode or Firewall mode
without any issues. However, in the specific ADC mode configuration where a Deny All policy is
added after any specific Allow rules are configured, IPv6 pools cannot be reached.
If you
choose to add a rule to deny all traffic after more specific rules, you must add a preceding
rule with the following parameters.
State:
Enabled
Protocol:
ICMPv6 (58)
Type:
Neighbor Advertisement (136)
Source Address: any affected pool members
Destination Address: the BIG-IP address, or
Any
Action:
Accept
All other values can be left at their defaults, except the rule name.
Such a rule allows ICMPv6 pools to function, when a rule that denies all traffic is
added at the end of the rule list in an ADC mode configuration.
Configure AFM to use ADC mode
This task describes how to configure AFM to use ADC mode. In this mode, all network traffic is allowed.
ADC mode is the default mode.
On the Main tab, click
Security
Options
Network Firewall
.
From the
Virtual Server & Self IP
Contexts
list, select the default action
Accept
for the self IP and
virtual server contexts.
From the
Global Context
list, select the default action for the global rule context.
Select
Drop
to silently drop all
traffic. Dropping causes the connection to be retried until the retry threshold is reached.
Select
Reject
to reject all
traffic. Rejecting sends a destination unreachable message to the sender.
Click
Update
.
Creating a VLAN for the network firewall
Create a VLAN with tagged interfaces, so that each of the specified interfaces can process
traffic destined for that VLAN.
On the Main tab, click
Network
VLANs
.
The VLAN List screen opens.
Click
Create
.
The New VLAN screen opens.
In the
Name
field, type a unique name for the VLAN.
For purposes of this implementation, name the VLAN
net_ext
.
For the
Interfaces
setting:
From the
Interface
list, select an interface number.
From the
Tagging
list, select
Tagged
.
Click
Add
.
If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the
Source
Check
check box.
From the
Configuration
list, select
Advanced
.
In the
MTU
field, retain the default number of bytes (
1500
).
If you want to base redundant-system failover on VLAN-related events, select the
Fail-safe
check box.
From the
Auto Last Hop
list, select a value.
From the
CMP Hash
list, select a value.
To enable the
DAG Round Robin
setting, select the check box.
For the
Hardware SYN Cookie
setting, select or clear the check box.
When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
For the
Syncache Threshold
setting, retain the default value or change it to suit your needs.
The
Syncache Threshold
value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
When the
Hardware SYN Cookie
setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
The number of TCP half-open connections defined in the LTM setting
Global SYN
Check Threshold
is reached.
The number of SYN flood packets defined in this
Syncache Threshold
setting is reached.
For the
SYN Flood Rate Limit
setting, retain the default value or change it to suit your needs.
The
SYN Flood Rate Limit
value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
Click
Finished
.
The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.
Configuring an LTM
virtual server with a VLAN for Network Firewall
For this implementation, at least two virtual servers and one at least one VLAN are
assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to
allow traffic from hosts on one virtual server to reach or pass through the other. In
the Network Firewall, if you are using multiple virtual servers to allow or deny traffic
to and from specific hosts behind different virtual servers, you must enable those
virtual servers on the same VLAN.
By default, the
virtual server is set to share traffic on
All VLANs and Tunnels
. This
configuration will work for your VLANs, but in the firewall context specifying or
limiting VLANs that can share traffic provides greater security.
On the Main tab, click
Local Traffic
Virtual Servers
.
The Virtual Server List
screen opens.
Click the name of the virtual server you want to
modify.
From the
VLAN and Tunnel Traffic
list,
select
Enabled on
.
Then, for the
VLANs and
Tunnels
setting, move the VLAN or VLANs on which you want to
allow the virtual servers to share traffic from the
Available
list to the
Selected
list.
Click
Update
to save the
changes.
Repeat this task for all virtual servers that must
share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.
Adding a
firewall rule to deny ICMP
Use this task to create a firewall
rule at the Global context, that denies ICMP packets globally.
On the Main tab, click
Security
Network Firewall
Active Rules
.
The Active Rules screen
opens.
In the Rules area, click
Add
to add a firewall rule to
the list.
From the
Context
list, select the
Global
context.
In the
Name
field, type
deny_icmp
.
From the
Type
list, select
Rule
.
From the
State
list, select
Enabled
.
From the Protocol list, select
ICMP
.
In the
ICMP
Message
area, from the
Type
list, select
Any
, and click the
Add
button.
You can optionally deny only
ICMP ping requests, by selecting
Echo
(8)
from the
Type
list, and clicking
Add
.
Leave the
Source
area configured to allow
Any
address, port, and VLAN.
Leave the
Destination
area configured to allow
Any
address or port.
From the
Action
list, select
Drop
or
Reject
.
These options
either drop ICMP packets from any source and port to any
port and address, or send a reject message and reset the the
connection.
From the
Logging
list, enable or
disable logging for the firewall rule.
A logging profile must be enabled to
capture logging info for the firewall rule.
Click
Finished
.
The list screen and the new
item are displayed.
A new firewall rule is created, and
appears in the firewall rule list. This firewall rule denies all access to
and from all sources and destinations on the ICMP protocol.
Creating address lists
Use this procedure to create the address lists to be used in the firewall rules.
On the Main tab, click
Shared Objects
Address Lists
.
Click
Create
.
In the name field, type
addr_list1
.
In the Addresses area, add the following addresses:
48.63.32.0/24
and
60.63.10.0/24
. Click
Add
after you type
each address.
Click
Repeat
.
In the name field, type
addr_list2
.
In the Addresses area, add the following address:
85.34.12.0/24
.
Click
Add
.
Click
Finished
.
The list screen and new address lists are displayed
Creating firewall rule lists
Create the AFM firewall rule lists that will contain the firewall rules.
On the Main tab, click
Security
Network Firewall
Rule Lists
.
The Rule Lists screen
opens.
Click the
Create
button to create a new rule list.
In the
Name
field, type
allow_rule_list
.
Click
Repeat
.
In the
Name
field, type
deny_rule_list
.
Click
Finished
.
The empty firewall rule list is displayed.
Adding the firewall rules to the rule list
Add network firewall rules to a rule list so you
can collect and apply them at once in a policy.
Use this task to create firewall rule list that allows traffic only from the networks in address list addr_list1 and another firewall rule list that denies traffic only in address list addr_list2.
On the Main tab, click
Security
Network Firewall
Rule Lists
.
The Rule Lists screen
opens.
From the list, click
allow_rule_list
.
The Rule List properties
screen opens.
In the Rules area, click
Add
to add a firewall rule to
the list.
In the
Name
field, type
allow_addr_list
.
From the Source
Address/Region
list, select
Specify
.
Click
Address List
and select
addr_list1
.
Click
Add
.
From the
Action
list, select
Accept
.
From the
Logging
list, enable or
disable logging for the firewall rule.
A logging profile must be enabled to
capture logging info for the firewall rule.
Click
Repeat
.
In the
Name
field, type
deny_all
.
From the Source
Address/Region
, select
Any
.
From the
Action
list, select
Reject
.
Click
Finished
.
Click
Network Firewall : Rule Lists
at the top of the page.
From the list, click
deny_rule_list
.
The Rule List properties
screen opens.
In the Rules area, click
Add
to add a firewall rule to
the list.
In the
Name
field, type
deny_addr_list
.
From the Source
Address/Region
list, select
Specify
.
Click
Address List
and select
addr_list2
.
Click
Add
.
From the
Action
list, select
Reject
.
From the
Logging
list, enable or
disable logging for the firewall rule.
A logging profile must be enabled to
capture logging info for the firewall rule.
Click
Finished
.
The Rule List properties
screen opens.
The Rule Lists screen shows the new rule in the rule list.
Creating firewall policies
Create the firewall policies to collect the rule list. The policies will later be applied to the virtual servers.
On the Main tab, click
Security
Network Firewall
Policies
.
The Policies screen
opens.
Click
Create
to create a new
policy.
In the
Name
field, type
network_virtual_policy
.
Click
Repeat
.
In the
Name
field, type
app_virtual_policy
.
Click
Finished
.
The Policies screen shows the new policy in the policy list.
Activating the rule list in the policy
The rule list is a container in which you can
select and activate one of the rule lists that you created previously, or one of the
predefined system rule lists, to apply a collection of rules at one time, to a policy.
On the Main tab, click
Security
Network Firewall
Policies
.
The Policies screen
opens.
Click the firewall policy named
network_virtual_policy
.
Click
Add Rule List
.
In the Name section, enter
allow_rule_list
in the
Rule List
option.
Click
Done Editing
.
Click
Commit Changes to System
at the top of the page.
Click
Policies
at the top of the page.
Click the firewall policy named
app_virtual_policy
.
Click
Add Rule List
.
In the Name section, enter
deny_rule_list
in the
Rule List
option.
Click
Done Editing
.
Click
Commit Changes to System
at the top of the page.
The firewall policy and rule list are activated.
Associating the firewall policies with the virtual servers
In the final steps, the firewall policies are applied to the virtual servers.
On the Main tab, click
Local Traffic
Virtual Servers
.
Click the name of the virtual server with Destination IP address
70.186.15.0/24
.
Click
Security
Policies
at the top of the page.
Change Network Firewall
Enforcement
to
Enabled
.
From the
Policy
list, select
network_virtual_policy
.
Click
Update
.
Click
Virtual Servers : Virtual Server List
at the top of the page.
Click the name of the virtual server with Destination IP address
