Manual Chapter : Deploying AFM in Firewall Mode

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Deploying AFM in Firewall Mode

Deploy AFM in firewall mode

By default, AFM firewall is configured in ADC mode, which is a default allow configuration. In Firewall mode, all traffic is blocked at the firewall, and any traffic you want to allow must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:
Device and location
IP address
Network virtual server
70.168.15..0/24
Application virtual server
192.168.15.101
In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:
VLAN
Configuration
net_ext
Enabled on 70.168.15.0/24, 192.168.15.101
net_int
Includes pool members 10.10.1.10, 10.10.1.11
In addition, in this firewall configuration, there are three external networks that must be firewalled:
Network
Policy
60.63.10.0/24
Allow all access
48.64.32.0/24
Allow all access
85.34.12.0/24
Deny all access
To set up this scenario, you configure addresses, ports, and firewall rules specific to these networks, ports, and addresses.

Configure AFM to use firewall mode

This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
ADC mode is the default mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
  2. From the
    Virtual Server & Self IP Contexts
    list, select the default action for the self IP and virtual server contexts.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  3. From the
    Global Context
    list, select the default action for the global rule context.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click
    Update
    .

Create a VLAN for the Network Firewall

Create a VLAN with tagged interfaces, so that each of the specified interfaces can process traffic destined for that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type a unique name for the VLAN.
    For purposes of this implementation, name the VLAN
    net_ext
    .
  4. For the
    Interfaces
    setting:
    1. From the
      Interface
      list, select an interface number.
    2. From the
      Tagging
      list, select
      Tagged
      .
    3. Click
      Add
      .
  5. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the
    Source Check
    check box.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. In the
    MTU
    field, retain the default number of bytes (
    1500
    ).
  8. If you want to base redundant-system failover on VLAN-related events, select the
    Fail-safe
    check box.
  9. From the
    Auto Last Hop
    list, select a value.
  10. From the
    CMP Hash
    list, select a value.
  11. To enable the
    DAG Round Robin
    setting, select the check box.
  12. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  13. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  14. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  15. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.

Configure an LTM virtual server with a VLAN for Network Firewall

For this implementation, at least two virtual servers and one at least one VLAN are assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to allow traffic from hosts on one virtual server to reach or pass through the other. In the Network Firewall, if you are using multiple virtual servers to allow or deny traffic to and from specific hosts behind different virtual servers, you must enable those virtual servers on the same VLAN.
By default, the virtual server is set to share traffic on
All VLANs and Tunnels
. This configuration will work for your VLANs, but in the firewall context specifying or limiting VLANs that can share traffic provides greater security.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  4. Click
    Update
    to save the changes.
  5. Repeat this task for all virtual servers that must share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.

Create an address list

Use this procedure to create the address lists to be used in the firewall rules.
  1. On the Main tab, click
    Shared Objects
    Address Lists
    .
  2. Click
    Create
    .
  3. In the name field, type
    addr_list1
    .
  4. In the Addresses area, add the following addresses:
    48.63.32.0/24
    and
    60.63.10.0/24
    . Click
    Add
    after you type each address.
  5. Click
    Repeat
    .
  6. In the name field, type
    addr_list2
    .
  7. In the Addresses area, add the following address:
    85.34.12.0/24
    .
  8. Click
    Add
    .
  9. Click
    Finished
    .
The list screen and new address lists are displayed

Create a firewall rule list

Create the AFM firewall rule lists that will contain the firewall rules.
  1. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  2. Click the
    Create
    button to create a new rule list.
  3. In the
    Name
    field, type
    allow_rule_list
    .
  4. Click
    Repeat
    .
  5. In the
    Name
    field, type
    deny_rule_list
    .
  6. Click
    Finished
    .
The empty firewall rule list is displayed.

Add the firewall rules to the list

Add network firewall rules to a rule list so you can collect and apply them at once in a policy. Use this task to create firewall rule list that allows traffic only from the networks in address list addr_list1 and another firewall rule list that denies traffic only in address list addr_list2.
  1. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  2. From the list, click
    allow_rule_list
    .
    The Rule List properties screen opens.
  3. In the Rules area, click
    Add
    to add a firewall rule to the list.
  4. In the
    Name
    field, type
    allow_addr_list
    .
  5. From the Source
    Address/Region
    list, select
    Specify
    .
  6. Click
    Address List
    and select
    addr_list1
    .
  7. Click
    Add
    .
  8. From the
    Action
    list, select
    Accept
    .
  9. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  10. Click
    Repeat
    .
  11. In the
    Name
    field, type
    deny_all
    .
  12. From the
    Action
    list, select
    Reject
    .
  13. Click
    Finished
    .
  14. Click
    Network Firewall : Rule Lists
    at the top of the page.
  15. From the list, click
    deny_rule_list
    .
    The Rule List properties screen opens.
  16. In the Rules area, click
    Add
    to add a firewall rule to the list.
  17. In the
    Name
    field, type
    deny_addr_list
    .
  18. From the Source
    Address/Region
    list, select
    Specify
    .
  19. Click
    Address List
    and select
    addr_list2
    .
  20. Click
    Add
    .
  21. From the
    Action
    list, select
    Reject
    .
  22. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  23. Click
    Repeat
    .
  24. In the
    Name
    field, type
    allow_all
    .
  25. In the Source
    Address/Region
    list, select
    Any
    .
  26. From the
    Action
    list, select
    Accept
    .
  27. Click
    Finished
    .
    The Rule List properties screen opens.
The Rule Lists screen shows the new rule in the rule list.

Create a firewall policy

Create the firewall policies to collect the rule list. The policies will later be applied to the virtual servers.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click
    Create
    to create a new policy.
  3. In the
    Name
    field, type
    network_virtual_policy
    .
  4. Click
    Repeat
    .
  5. In the
    Name
    field, type
    app_virtual_policy
    .
  6. Click
    Finished
    .
The Policies screen shows the new policy in the policy list.

Activate the rule list in the policy

The rule list is a container in which you can select and activate one of the rule lists that you created previously, or one of the predefined system rule lists, to apply a collection of rules at one time, to a policy.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click the firewall policy named
    network_virtual_policy
    .
  3. Click
    Add Rule List
    .
  4. In the Name section, enter
    allow_rule_list
    in the
    Rule List
    option.
  5. Click
    Done Editing
    .
  6. Click
    Commit Changes to System
    at the top of the page.
  7. Click
    Policies
    at the top of the page.
  8. Click the firewall policy named
    app_virtual_policy
    .
  9. Click
    Add Rule List
    .
  10. In the Name section, enter
    deny_rule_list
    in the
    Rule List
    option.
  11. Click
    Done Editing
    .
  12. Click
    Commit Changes to System
    at the top of the page.
The firewall policy and rule list are activated.

Associate the firewall policy with a virtual server

In the final steps, the firewall policy is applied to the virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
  2. Click the name of the virtual server with Destination IP address
    70.186.15.0/24
    .
  3. Click
    Security
    Policies
    at the top of the page.
  4. Change Network Firewall
    Enforcement
    to
    Enabled
    .
  5. From the
    Policy
    list, select
    network_virtual_policy
    .
  6. Click
    Update
    .
  7. Click
    Virtual Servers : Virtual Server List
    at the top of the page.
  8. Click the name of the virtual server with Destination IP address
    192.168.15.101
    .
  9. Click
    Security
    Policies
    at the top of the page.
  10. Change Network Firewall
    Enforcement
    to
    Enabled
    .
  11. From the
    Policy
    list, select
    app_virtual_policy
    .
  12. Click
    Update
    .
The firewall policy is associated with the virtual server, and AFM will begin inspecting packets processed by the virtual server.