Manual Chapter : AFM Network Firewall
Applies To:Show Versions
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
AFM Network Firewall
Overview: Default traffic processing
BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
AFM can be configured to run in one of two modes:
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
You should know the differences between the Accept, Reject, and Drop actions:
Allow packets that do not match restrictive firewall rules. This is the default mode.
Reject packets that do not match acceptance firewall rules. This mode sends an ICMP destination unreachable packet to the remote client.
Drop packets that do not match acceptance firewall rules. This causes the remote client to continue the connection attempt until the retry period has expired.
Overview: AFM Network Firewall policies and rules
BIG-IP AFM Network Firewall policies contain ordered lists of industry standard firewall rules. Network Firewall policies control network access to your data center using criteria such as IP address, service port, time of day, and day of week. You can also apply iRules to extend firewall rule logic, and enable logging to capture firewall events.
Because AFM Network Firewall policies can be applied to a variety of different contexts and may at times overlap, it is important to understand the order of processing for each context.
Applies to all traffic being processed.
Applies to a specific route domain.
Virtual Server/Self IP
Applies to a virtual server or Self IP address.
Applied to the BIG-IP system management port.
AFM Network Firewall processes policies in order, progressing from the global to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port, where firewall rules are applied directly.
Creating an AFM Network Firewall policy
With BIG-IP AFM Network Firewall, you can create granular firewall policies using industry standard firewall rules. For example, clients from specific source IP address subnets can be granted access to specific destination IP addresses and service ports during specified hours and days of the week.
In the following scenario, the AFM Network Firewall mode is changed from ADC to firewall and a new firewall policy is created. The policy permits access to clients from the
10.10.10.0/24subnet between 6 A.M. and 10 P.M., Monday through Friday. The new firewall policy will be applied to the virtual server context.
Creating and applying a new AFM Network Firewall policy involves several tasks.
- Change the AFM mode.
- Create the firewall schedule.
- Create the address list.
- Create the rule list.
- Create the firewall policy.
- Apply the firewall policy.
Change the AFM mode
You can change the BIG-IP AFM Network Firewall mode by modifying the Default Firewall Action setting. When you enable Firewall mode, the AFM system allows access only when specific firewall rules are put in place. While this method reduces the overall attack surface, it may impact services that you are not be aware of. ADC mode is currently the default and most popular choice. These steps change the AFM mode from the default ADC mode to firewall mode.
- On the Main tab, click.
- Under Default Firewall Action, from theVirtual Server Self IP Contextslist, selectReject.When you selectReject, the system immediately notifies the remote client that access is denied.
- ClickUpdateat the bottom of the page.
The AFM system now rejects all ingress traffic, and requires one or more firewall policies to accept traffic.
You can now create a AFM Network Firewall schedule that enables the firewall rule between 6 A.M. and 10 P.M., Monday through Friday.
Create the firewall schedule
You can create AFM Network Firewall schedules that define a period of time that a firewall rule is enabled. The firewall schedule is used later when creating the new rule list. In this task, you create a new schedule allowing remote users to access a virtual server from 6 A.M. to 10 P.M., Monday through Friday.
- On the Main tab, click.
- ClickCreateat the far right.
- For theName, type a unique string.For this example, typeweb_allow_6am-10pm.
- Leave theDate RangeasIndefinite.
- For theTime Rangelist, selectBetween.and type the begin and end times.For this example, type06:00for 6 A.M. and22:00for 10 P.M.
- For theDays Valid, check the box for each day that the firewall rule will be active.For this example, ensure thatSundayandSaturdaycheck boxes are cleared.
The new AFM Network Firewall schedule is listed in the Schedules screen.
Next you should create an address list for clients in the
Create the address list
You can create AFM Network Firewall address lists that contain one or more IP address subnets, fully qualified domain names, or geographic locations. The address list is used later when creating a new firewall rule list. In this task, you create an address list for clients in the
- On the Main tab, click.You can also create Port Lists that control access to specific services.
- In theNamefield, type10.10.10.0_24.Using the IP address as theNamemakes address list management easier, for example when selecting an address list from a rule list object.
- In theAddressesfield, type10.10.10.0/24.The IP address here allows or restricts IP addresses within the configured subnet range.
The new AFM Network Firewall address list appears in the Shared Objects Address Lists screen.
You should now create a rule list that references both the address list and the schedule.
Create the rule list
You can create AFM Network Firewall rule lists that contain an ordered list of firewall rules. The rule list is used later when creating a new firewall policy. This task shows how to create a new rule list that references the address list and schedule that you created previously .
- On the Main tab, click.The Rule Lists screen opens.
- In theNamefield, typerule_list_10.10.10.0_24.
- In the Rule Lists screen, clickrule_list_10.10.10.0_24.
- At the far right, clickAdd.
- ForName, typeallow_10.10.10.0_24.
- From theStatelist, selectScheduled.
- From theSchedulelist, selectweb_allow_6am-10pm.
- From theProtocollist, selectTCP.
- From theSourcesettingAddress/Regionlist, selectSpecify.
- ClickAddress List.
- Select10.10.10.0_24from the list and clickAdd.The AFM system pre-pends the system partition to the name.
- From theLogginglist, selectEnabled.
The new rule list appears in the Rule Lists screen.
Next, add the rule list to a new firewall policy.
Create the firewall policy
You can create a Network Firewall policy containing one or more firewall rule lists. The firewall policy will be applied to a virtual server in the final task. This task shows how to create a firewall policy that contains a single rule list.
- On the Main tab, click.
- To the far right, clickCreate.
- In theNamefield typeweb_allow_policy.
- In the Policies list, clickweb_allow_policy.
- At the far right, clickAdd Rule List.
- In the rules list, in theNamefield, typerule_list_10.10.10.0_24.The AFM system pre-pends the system partition to the name.
- ClickDone Editing.
- At the top of the page, clickCommit Changes to System.
The new firewall policy appears in the Policies list.
New policies do not take affect until they are applied to a context. So next, you apply the firewall policy to a virtual server context.
Apply the firewall policy
Before you can apply a firewall policy, you must have a virtual server configured on the BIG-IP AFM system.
You can apply Network Firewall policies globally, to route domains, virtual servers, and Self IP addresses. This task shows how to apply the firewall policy to a virtual server context.
- On the Main tab, click.
- Under Name, click the name of the virtual server.
- At the top of the page, fromSecurity, selectPolicies.
- For theNetwork FirewallsettingEnforcementlist, selectEnabled.TheStagingoption allows you to reference a network firewall policy and log firewall rule matching events without actually affecting client connectivity.
- From thePolicylist, select the name of the network firewall policy. For this task, selectweb_allow_policy.
You have now associated the new Network Firewall policy with the virtual server allowing clients in the
10.10.10.0/24subnet to access resources between 6 A.M. and 10 PM., Monday through Friday.