Manual Chapter :
Deploying AFM in Firewall Mode
Applies To:
Show VersionsBIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Deploying AFM in Firewall Mode
Deploy AFM in firewall mode
By default, AFM firewall is configured in ADC mode, which is a
default allow configuration. In Firewall mode, all traffic is blocked at the firewall, and any
traffic you want to allow must be explicitly specified.
To
understand this firewall scenario, imagine that your prerequisite system load-balances
all traffic from the Internet to several internal servers. The internal servers
are:
Device and location | IP address |
---|---|
Network virtual server | 70.168.15..0/24 |
Application virtual server | 192.168.15.101 |
In order for traffic from the internal application virtual
server to reach the external network virtual server, you must create a VLAN and enable
both internal and external virtual servers on it. In this scenario, these VLANs are
specified:
VLAN | Configuration |
---|---|
net_ext | Enabled on 70.168.15.0/24, 192.168.15.101 |
net_int | Includes pool members 10.10.1.10,
10.10.1.11 |
In addition, in this firewall configuration, there are three
external networks that must be firewalled:
Network | Policy |
---|---|
60.63.10.0/24 | Allow all access |
48.64.32.0/24 | Allow all access |
85.34.12.0/24 | Deny all access |
To set up this scenario, you configure addresses, ports, and
firewall rules specific to these networks, ports, and addresses.
Configure AFM to use firewall mode
This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
ADC mode is the default mode.
- On the Main tab, click.
- From theVirtual Server & Self IP Contextslist, select the default action for the self IP and virtual server contexts.
- SelectDropto silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- SelectRejectto reject all traffic. Rejecting sends a destination unreachable message to the sender.
- From theGlobal Contextlist, select the default action for the global rule context.
- SelectDropto silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- SelectRejectto reject all traffic. Rejecting sends a destination unreachable message to the sender.
- ClickUpdate.
Create a VLAN for the Network Firewall
Create a VLAN with tagged interfaces, so that each of the specified interfaces can process
traffic destined for that VLAN.
- On the Main tab, click.The VLAN List screen opens.
- ClickCreate.The New VLAN screen opens.
- In theNamefield, type a unique name for the VLAN.For purposes of this implementation, name the VLANnet_ext.
- For theInterfacessetting:
- From theInterfacelist, select an interface number.
- From theTagginglist, selectTagged.
- ClickAdd.
- If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select theSource Checkcheck box.
- From theConfigurationlist, selectAdvanced.
- In theMTUfield, retain the default number of bytes (1500).
- If you want to base redundant-system failover on VLAN-related events, select theFail-safecheck box.
- From theAuto Last Hoplist, select a value.
- From theCMP Hashlist, select a value.
- To enable theDAG Round Robinsetting, select the check box.
- For theHardware SYN Cookiesetting, select or clear the check box.When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
- For theSyncache Thresholdsetting, retain the default value or change it to suit your needs.TheSyncache Thresholdvalue represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.When theHardware SYN Cookiesetting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
- The number of TCP half-open connections defined in the LTM settingGlobal SYN Check Thresholdis reached.
- The number of SYN flood packets defined in thisSyncache Thresholdsetting is reached.
- For theSYN Flood Rate Limitsetting, retain the default value or change it to suit your needs.TheSYN Flood Rate Limitvalue represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
- ClickFinished.The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.
Configure an LTM
virtual server with a VLAN for Network Firewall
For this implementation, at least two virtual servers and one at least one VLAN are
assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to
allow traffic from hosts on one virtual server to reach or pass through the other. In
the Network Firewall, if you are using multiple virtual servers to allow or deny traffic
to and from specific hosts behind different virtual servers, you must enable those
virtual servers on the same VLAN.
By default, the
virtual server is set to share traffic on
All VLANs and Tunnels
. This
configuration will work for your VLANs, but in the firewall context specifying or
limiting VLANs that can share traffic provides greater security.- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- ClickUpdateto save the changes.
- Repeat this task for all virtual servers that must share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.
Create an address list
Use this procedure to create the address lists to be used in the firewall rules.
- On the Main tab, click.
- ClickCreate.
- In the name field, typeaddr_list1.
- In the Addresses area, add the following addresses:48.63.32.0/24and60.63.10.0/24. ClickAddafter you type each address.
- ClickRepeat.
- In the name field, typeaddr_list2.
- In the Addresses area, add the following address:85.34.12.0/24.
- ClickAdd.
- ClickFinished.
The list screen and new address lists are displayed
Create a firewall rule list
Create the AFM firewall rule lists that will contain the firewall rules.
- On the Main tab, click.The Rule Lists screen opens.
- Click theCreatebutton to create a new rule list.
- In theNamefield, typeallow_rule_list.
- ClickRepeat.
- In theNamefield, typedeny_rule_list.
- ClickFinished.
The empty firewall rule list is displayed.
Add the firewall rules to the list
Add network firewall rules to a rule list so you
can collect and apply them at once in a policy.
Use this task to create firewall rule list that allows traffic only from the networks in address list addr_list1 and another firewall rule list that denies traffic only in address list addr_list2.
- On the Main tab, click.The Rule Lists screen opens.
- From the list, clickallow_rule_list.The Rule List properties screen opens.
- In the Rules area, clickAddto add a firewall rule to the list.
- In theNamefield, typeallow_addr_list.
- From the SourceAddress/Regionlist, selectSpecify.
- ClickAddress Listand selectaddr_list1.
- ClickAdd.
- From theActionlist, selectAccept.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickRepeat.
- In theNamefield, typedeny_all.
- From theActionlist, selectReject.
- ClickFinished.
- ClickNetwork Firewall : Rule Listsat the top of the page.
- From the list, clickdeny_rule_list.The Rule List properties screen opens.
- In the Rules area, clickAddto add a firewall rule to the list.
- In theNamefield, typedeny_addr_list.
- From the SourceAddress/Regionlist, selectSpecify.
- ClickAddress Listand selectaddr_list2.
- ClickAdd.
- From theActionlist, selectReject.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickRepeat.
- In theNamefield, typeallow_all.
- In the SourceAddress/Regionlist, selectAny.
- From theActionlist, selectAccept.
- ClickFinished.The Rule List properties screen opens.
The Rule Lists screen shows the new rule in the rule list.
Create a firewall policy
Create the firewall policies to collect the rule list. The policies will later be applied to the virtual servers.
- On the Main tab, click.The Policies screen opens.
- ClickCreateto create a new policy.
- In theNamefield, typenetwork_virtual_policy.
- ClickRepeat.
- In theNamefield, typeapp_virtual_policy.
- ClickFinished.
The Policies screen shows the new policy in the policy list.
Activate the rule list in the policy
The rule list is a container in which you can
select and activate one of the rule lists that you created previously, or one of the
predefined system rule lists, to apply a collection of rules at one time, to a policy.
- On the Main tab, click.The Policies screen opens.
- Click the firewall policy namednetwork_virtual_policy.
- ClickAdd Rule List.
- In the Name section, enterallow_rule_listin theRule Listoption.
- ClickDone Editing.
- ClickCommit Changes to Systemat the top of the page.
- ClickPoliciesat the top of the page.
- Click the firewall policy namedapp_virtual_policy.
- ClickAdd Rule List.
- In the Name section, enterdeny_rule_listin theRule Listoption.
- ClickDone Editing.
- ClickCommit Changes to Systemat the top of the page.
The firewall policy and rule list are activated.
Associate the firewall policy with a virtual server
In the final steps, the firewall policy is applied to the virtual server.
- On the Main tab, click.
- Click the name of the virtual server with Destination IP address70.186.15.0/24.
- Clickat the top of the page.
- Change Network FirewallEnforcementtoEnabled.
- From thePolicylist, selectnetwork_virtual_policy.
- ClickUpdate.
- ClickVirtual Servers : Virtual Server Listat the top of the page.
- Click the name of the virtual server with Destination IP address192.168.15.101.
- Clickat the top of the page.
- Change Network FirewallEnforcementtoEnabled.
- From thePolicylist, selectapp_virtual_policy.
- ClickUpdate.
The firewall policy is associated with the virtual server, and AFM will begin inspecting packets processed by the virtual server.