Manual Chapter : AFM Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

AFM Network Firewall

Overview: Default traffic processing

BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
AFM can be configured to run in one of two modes:
Firewall mode
Description
ADC (Accept)
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
You should know the differences between the Accept, Reject, and Drop actions:
Firewall action
Description
Accept
Allow packets that do not match restrictive firewall rules. This is the default mode.
Reject
Reject packets that do not match acceptance firewall rules. This mode sends an ICMP destination unreachable packet to the remote client.
Drop
Drop packets that do not match acceptance firewall rules. This causes the remote client to continue the connection attempt until the retry period has expired.

Overview: AFM Network Firewall policies and rules

BIG-IP AFM Network Firewall policies contain ordered lists of industry standard firewall rules. Network Firewall policies control network access to your data center using criteria such as IP address, service port, time of day, and day of week. You can also apply iRules to extend firewall rule logic, and enable logging to capture firewall events.
Because AFM Network Firewall policies can be applied to a variety of different contexts and may at times overlap, it is important to understand the order of processing for each context.
Order processed
Firewall context
Description
First
Global
Applies to all traffic being processed.
Second
Route Domain
Applies to a specific route domain.
Third
Virtual Server/Self IP
Applies to a virtual server or Self IP address.
Independent
Management Port
Applied to the BIG-IP system management port.
AFM Network Firewall processes policies in order, progressing from the global to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port, where firewall rules are applied directly.

Creating an AFM Network Firewall policy

With BIG-IP AFM Network Firewall, you can create granular firewall policies using industry standard firewall rules. For example, clients from specific source IP address subnets can be granted access to specific destination IP addresses and service ports during specified hours and days of the week.
In the following scenario, the AFM Network Firewall mode is changed from ADC to firewall and a new firewall policy is created. The policy permits access to clients from the
10.10.10.0/24
subnet between 6 A.M. and 10 P.M., Monday through Friday. The new firewall policy will be applied to the virtual server context.
Creating and applying a new AFM Network Firewall policy involves several tasks.

Task list

  1. Change the AFM mode.
  2. Create the firewall schedule.
  3. Create the address list.
  4. Create the rule list.
  5. Create the firewall policy.
  6. Apply the firewall policy.

Change the AFM mode

You can change the BIG-IP AFM Network Firewall mode by modifying the Default Firewall Action setting. When you enable Firewall mode, the AFM system allows access only when specific firewall rules are put in place. While this method reduces the overall attack surface, it may impact services that you are not be aware of. ADC mode is currently the default and most popular choice. These steps change the AFM mode from the default ADC mode to firewall mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    Firewall Options
    .
  2. Under Default Firewall Action, from the
    Virtual Server Self IP Contexts
    list, select
    Reject
    .
    When you select
    Reject
    , the system immediately notifies the remote client that access is denied.
  3. Click
    Update
    at the bottom of the page.
The AFM system now rejects all ingress traffic, and requires one or more firewall policies to accept traffic.
You can now create a AFM Network Firewall schedule that enables the firewall rule between 6 A.M. and 10 P.M., Monday through Friday.

Create the firewall schedule

You can create AFM Network Firewall schedules that define a period of time that a firewall rule is enabled. The firewall schedule is used later when creating the new rule list. In this task, you create a new schedule allowing remote users to access a virtual server from 6 A.M. to 10 P.M., Monday through Friday.
  1. On the Main tab, click
    Security
    Network Firewall
    Schedules
    .
  2. Click
    Create
    at the far right.
  3. For the
    Name
    , type a unique string.
    For this example, type
    web_allow_6am-10pm
    .
  4. Leave the
    Date Range
    as
    Indefinite
    .
  5. For the
    Time Range
    list, select
    Between
    .and type the begin and end times.
    For this example, type
    06:00
    for 6 A.M. and
    22:00
    for 10 P.M.
  6. For the
    Days Valid
    , check the box for each day that the firewall rule will be active.
    For this example, ensure that
    Sunday
    and
    Saturday
    check boxes are cleared.
  7. Click
    Finished
    .
The new AFM Network Firewall schedule is listed in the Schedules screen.
Next you should create an address list for clients in the
10.10.10.0/24
subnet.

Create the address list

You can create AFM Network Firewall address lists that contain one or more IP address subnets, fully qualified domain names, or geographic locations. The address list is used later when creating a new firewall rule list. In this task, you create an address list for clients in the
10.10.10.0/24
subnet.
  1. On the Main tab, click
    Shared Objects
    Address Lists
    .
    You can also create Port Lists that control access to specific services.
  2. Click
    Create
    .
  3. In the
    Name
    field, type
    10.10.10.0_24
    .
    Using the IP address as the
    Name
    makes address list management easier, for example when selecting an address list from a rule list object.
  4. In the
    Addresses
    field, type
    10.10.10.0/24
    .
    The IP address here allows or restricts IP addresses within the configured subnet range.
  5. Click
    Add
    .
  6. Click
    Finished
    .
The new AFM Network Firewall address list appears in the Shared Objects Address Lists screen.
You should now create a rule list that references both the address list and the schedule.

Create the rule list

You can create AFM Network Firewall rule lists that contain an ordered list of firewall rules. The rule list is used later when creating a new firewall policy. This task shows how to create a new rule list that references the address list and schedule that you created previously .
  1. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type
    rule_list_10.10.10.0_24
    .
  4. Click
    Finished
    .
  5. In the Rule Lists screen, click
    rule_list_10.10.10.0_24
    .
  6. At the far right, click
    Add
    .
  7. For
    Name
    , type
    allow_10.10.10.0_24
    .
  8. From the
    State
    list, select
    Scheduled
    .
  9. From the
    Schedule
    list, select
    web_allow_6am-10pm
    .
  10. From the
    Protocol
    list, select
    TCP
    .
  11. From the
    Source
    setting
    Address/Region
    list, select
    Specify
    .
  12. Click
    Address List
    .
  13. Select
    10.10.10.0_24
    from the list and click
    Add
    .
    The AFM system pre-pends the system partition to the name.
  14. From the
    Logging
    list, select
    Enabled
    .
  15. Click
    Finished
    .
The new rule list appears in the Rule Lists screen.
Next, add the rule list to a new firewall policy.

Create the firewall policy

You can create a Network Firewall policy containing one or more firewall rule lists. The firewall policy will be applied to a virtual server in the final task. This task shows how to create a firewall policy that contains a single rule list.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
  2. To the far right, click
    Create
    .
  3. In the
    Name
    field type
    web_allow_policy
    .
  4. Click
    Finished
    .
  5. In the Policies list, click
    web_allow_policy
    .
  6. At the far right, click
    Add Rule List
    .
  7. In the rules list, in the
    Name
    field, type
    rule_list_10.10.10.0_24
    .
    The AFM system pre-pends the system partition to the name.
  8. Click
    Done Editing
    .
  9. At the top of the page, click
    Commit Changes to System
    .
The new firewall policy appears in the Policies list.
New policies do not take affect until they are applied to a context. So next, you apply the firewall policy to a virtual server context.

Apply the firewall policy

Before you can apply a firewall policy, you must have a virtual server configured on the BIG-IP AFM system.
You can apply Network Firewall policies globally, to route domains, virtual servers, and Self IP addresses. This task shows how to apply the firewall policy to a virtual server context.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    Virtual Server List
    .
  2. Under Name, click the name of the virtual server.
  3. At the top of the page, from
    Security
    , select
    Policies
    .
  4. For the
    Network Firewall
    setting
    Enforcement
    list, select
    Enabled
    .
    The
    Staging
    option allows you to reference a network firewall policy and log firewall rule matching events without actually affecting client connectivity.
  5. From the
    Policy
    list, select the name of the network firewall policy. For this task, select
    web_allow_policy
    .
You have now associated the new Network Firewall policy with the virtual server allowing clients in the
10.10.10.0/24
subnet to access resources between 6 A.M. and 10 PM., Monday through Friday.