Manual Chapter : Configuring Access Control Lists

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Configuring Access Control Lists

About APM ACLs

APM® access control lists (ACLs) restrict user access to host and port combinations that are specified in access control entries (ACEs). An ACL can apply to Layer 4 (the protocol layer), Layer 7 (the application layer), or both. A Layer 4 or Layer 7 ACL is used with network access, application access, or web access connections.

About ACLs and resource assignments on a full webtop

Unlike a Network Access webtop or a Portal Access webtop, a full webtop supports all types or\f resources. For many resources, such as app tunnels, you must assign them to a policy along with a full webtop. When you assign an app tunnel or a remote desktop resource to a policy, Access Policy Manager (APM®) assigns the allow ACLs that it created for the resource items associated with them. With an app tunnel or a remote desktop resource assigned, F5 strongly recommends that you also assign an ACL that rejects all other connections and place it last in the ACL order.
If you also add a Network Access resource to the policy, you must create and assign ACLs that allow users access to all the hosts and all parts of the web sites that you want them to access. Otherwise, the ACL that rejects all connections will stop them.
If you add a Portal Access resource to the policy, APM assigns the allow ACLs that it created for the resource items associated with the Portal Access resource. However, you must create and assign ACLs to allow access to the target of the Portal Access link, which is either a start URI or hosted content. Again, without ACLs that explicitly allow the user to connect, the ACL that rejects all connections will stop users from launching the application or the web site.

Configuring an ACL

You use access control lists (ACLs) to restrict user access to host and port combinations that you specify in access control entries (ACEs).
  1. On the Main tab, click
    Access
    Access Control Lists
    .
    The ACLs screen opens.
  2. Click
    Create
    .
    The New ACL screen opens.
  3. In the
    Name
    field, type a name for the access control list.
  4. From the
    Type
    list, select
    Static
    .
  5. In the
    Description
    field, add a description of the access control list.
  6. From the
    ACL Order
    list, specify the relative order in which to add the new ACL respective to other ACLs:
    • Select
      After
      to add the ACL after a specific ACL and select the ACL.
    • Select
      Specify
      and type the specific order number.
    • Select
      Last
      to add the ACL at the last position in the list.
  7. From the
    Match Case for Paths
    list, select
    Yes
    to match case for paths, or
    No
    to ignore path case.
    This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
  8. Click the
    Create
    button.
    The ACL Properties screen opens.
  9. In the Access Control Entries area, click
    Add
    to add an entry.
    For an ACL to have an effect on traffic, you must configure at least one access control entry.
    The New Access Control Entry screen appears.
  10. From the
    Type
    list, select the layers to which the access control entry applies:
    • L4
      (Layer 4)
    • L7
      (Layer 7)
    • L4+L7
      (Layer 4 and Layer 7)
  11. From the
    Action
    list, select the action for the access control entry:
    • Allow
      Permit the traffic.
    • Continue
      Skip checking against the remaining access control entries in this ACL and continue evaluation at the next ACL.
    • Discard
      Drop the packet silently.
    • Reject
      Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
      If HTTP traffic matches a Layer 4 ACL, APM sends a TCP RST message. If traffic matches a Layer 7 ACL and is denied, APM sends the ACL Deny page.
    To create a default access control list, complete this step, then skip to the last step in this procedure.
  12. In the
    Source IP Address
    field, type the source IP address.
    This specifies the IP address to which the access control entry applies.
  13. In the
    Source Mask
    field, type the network mask for the source IP address.
    This specifies the network mask for the source IP address to which the access control entry applies.
  14. For the
    Source Port
    setting, select
    Port
    or
    Port Range
    .
    This setting specifies whether the access control entry applies to a single port or a range of ports.
  15. In the
    Port
    field or the
    Start Port
    and
    End Port
    fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the
    Port
    field, to add the typical port or ports for that protocol.
  16. In the
    Destination IP Address
    field, type the IP address to which the access control entry controls access.
  17. In the
    Destination Mask
    field, type the network mask for the destination IP address.
  18. For the
    Destination Ports
    setting, select
    Port
    or
    Port Range
    .
    This setting specifies whether the access control entry applies to a single port or a range of ports.
  19. In the
    Port
    field or the
    Start Port
    and
    End Port
    fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the
    Port
    field, to add the typical port or ports for that protocol.
  20. From the
    Scheme
    list, select the URI scheme for the access control entry:
    • http
    • https
    • any
    The scheme
    any
    matches either HTTP or HTTPS traffic.
  21. In the
    Host Name
    field, type a host to which the access control entry applies.
    The
    Host Name
    field supports shell glob matching: you can use the asterisk wildcard (*) to match match zero or more characters, and the question mark wildcard (?) to match a single character.
    *.siterequest.com
    matches siterequest.com with any prefix, such as www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.
    n?t.siterequest.com
    matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
  22. In the
    Paths
    field, type the path or paths to which the access control entry applies.
    You can separate multiple paths with spaces, for example,
    /news /finance
    . The
    Paths
    field supports shell glob matching. You can use the wildcard characters * and question mark (?) to represent multiple or single characters, respectively. You can also type a specific URI, for example,
    /finance/content/earnings.asp
    , or a specific extension, for example,
    *.jsp
    .
  23. From the
    Protocol
    list, select the protocol to which the access control entry applies.
  24. From the
    Log
    list, select the log level for this access control entry:
    • None
      Log nothing.
    • Packet
      Log the matched packet.
    When events occur at the selected log level, the server records a log message.
  25. Click
    Finished
    .
You have configured an ACL with one access control entry. (You can configure additional entries.)
To use the ACL, assign it to a session using an Advanced Resource Assign or ACL Assign action in an access policy.

Example ACE settings: reject all connections to a network

This example access control entry (ACE) rejects all connections to a specific network at 192.168.112.0/24.
Property
Value
Notes
Source IP Address
0.0.0.0
If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask
0.0.0.0
Source Ports
All Ports
Destination IP address
192.168.112.0
Destination Mask
255.255.255.0
Destination Ports
All Ports
Protocol
All Protocols
Action
Reject

Example ACE settings: allow SSH to a specific host

This example access control entry (ACE) allows SSH connections to the internal host at 192.168.112.9.
Property
Value
Notes
Source IP Address
0.0.0.0
If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask
0.0.0.0
Source Ports
All Ports
Destination IP address
192.168.112.9
Destination Mask
255.255.255.0
Destination Ports
22 (or select SSH)
Protocol
TCP
Action
Allow

Example ACE settings: reject all connections to specific file types

This example access control entry (ACE) rejects all connections that attempt to open files with the extensions
doc
,
exe
, and
txt
.
Property
Value
Notes
Source IP Address
0.0.0.0
If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask
0.0.0.0
Source Ports
All Ports
Destination IP address
0.0.0.0
Destination Mask
0.0.0.0
Destination Ports
All Ports
Scheme
http
Paths
*.doc*.exe *.txt
Protocol
All Protocols
Action
Reject