Manual Chapter : AFM Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

AFM Network Firewall

Overview: Default traffic processing

BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.

LTM is considered to be default deny. This means that when no traffic processing objects are configured, for example a virtual server and a pool, the BIG-IP system will not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.

AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.

AFM can be configured to run in one of the following modes:
ADC (Accept)
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
It is important to understand the differences between the Accept, Reject and Drop actions:
Accept
Allow packets that do not match a restrictive firewall rule. This is the default mode.
Reject
Reject packets that do not match an acceptance firewall rule. This mode sends an ICMP destination unreachable packet to the remote client.
Drop
Drop packets that do not match an acceptance firewall rule. This mode will cause the remote client to continue the connection attempt until the retry period has expired.

Overview: AFM Network Firewall policies and rules

BIG-IP AFM Network Firewall policies contain ordered lists of industry standard firewall rules. Network Firewall policies control network access to your data center using criteria such as IP address, service port, time of day, and day of week. You can also apply iRules to extend firewall rule logic, and enable logging to capture firewall events.

Because AFM Network Firewall policies can be applied to a variety of different contexts and may at times overlap, it is important to understand the order of processing for each context.

Order processed Firewall context Description
First Global Applies to all traffic being processed.
Second Route Domain Applies to a specific route domain.
Third Virtual Server/Self IP Applies to a virtual server or Self IP address.
Independent Management Port Applied to the BIG-IP system management port.

AFM Network Firewall processes policies in order, progressing from the global to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port, where firewall rules are applied directly.

Creating an AFM Network Firewall policy

With BIG-IP AFM Network Firewall, you can create granular firewall policies using industry standard firewall rules. For example, clients from specific source IP address subnets can be granted access to specific destination IP addresses and service ports during specified hours and days of the week.

In the following scenario, the AFM Network Firewall mode is changed from ADC to firewall and a new firewall policy is created. The policy permits access to clients from the 10.10.10.0/24 subnet between 6 A.M. and 10 P.M., Monday through Friday. The new firewall policy will be applied to the virtual server context.

Creating and applying a new AFM Network Firewall policy involves several tasks.

Task list

  1. Change the AFM mode.
  2. Create the firewall schedule.
  3. Create the address list.
  4. Create the rule list.
  5. Create the firewall policy.
  6. Apply the firewall policy.

Change the AFM mode

You can change the BIG-IP AFM Network Firewall mode by modifying the Default Firewall Action setting. When you enable Firewall mode, the AFM system allows access only when specific firewall rules are put in place. While this method reduces the overall attack surface, it may impact services that you are not be aware of. ADC mode is currently the default and most popular choice. These steps change the AFM mode from the default ADC mode to firewall mode.
  1. On the Main tab, click Security > Options > Network Firewall > Firewall Options .
  2. Under Default Firewall Action, from theVirtual Server Self IP Contexts list, select Reject.
    When you select Reject, the system immediately notifies the remote client that access is denied.
  3. Click Update at the bottom of the page.
The AFM system now rejects all ingress traffic, and requires one or more firewall policies to accept traffic.
You can now create a AFM Network Firewall schedule that enables the firewall rule between 6 A.M. and 10 P.M., Monday through Friday.

Create the firewall schedule

You can create AFM Network Firewall schedules that define a period of time that a firewall rule is enabled. The firewall schedule is used later when creating the new rule list. In this task, you create a new schedule allowing remote users to access a virtual server from 6 A.M. to 10 P.M., Monday through Friday.
  1. On the Main tab, click Security > Network Firewall > Schedules .
  2. Click Create at the far right.
  3. For the Name, type a unique string.
    For this example, type web_allow_6am-10pm.
  4. Leave the Date Range as Indefinite.
  5. For the Time Range list, select Between.and type the begin and end times.
    For this example, type 06:00 for 6 A.M. and 22:00 for 10 P.M.
  6. For the Days Valid, check the box for each day that the firewall rule will be active.
    For this example, ensure that Sunday and Saturday check boxes are cleared.
  7. Click Finished.
The new AFM Network Firewall schedule is listed in the Schedules screen.
Next you should create an address list for clients in the 10.10.10.0/24 subnet.

Create the address list

You can create AFM Network Firewall address lists that contain one or more IP address subnets, fully qualified domain names, or geographic locations. The address list is used later when creating a new firewall rule list. In this task, you create an address list for clients in the 10.10.10.0/24 subnet.
  1. On the Main tab, click Shared Objects > Address Lists .
    You can also create Port Lists that control access to specific services.
  2. Click Create.
  3. In the Name field, type 10.10.10.0_24.
    Using the IP address as the Name makes address list management easier, for example when selecting an address list from a rule list object.
  4. In the Addresses field, type 10.10.10.0/24.
    The IP address here allows or restricts IP addresses within the configured subnet range.
  5. Click Add.
  6. Click Finished.
The new AFM Network Firewall address list appears in the Shared Objects Address Lists screen.
You should now create a rule list that references both the address list and the schedule.

Create the rule list

You can create AFM Network Firewall rule lists that contain an ordered list of firewall rules. The rule list is used later when creating a new firewall policy. This task shows how to create a new rule list that references the address list and schedule that you created previously .
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. Click Create.
  3. In the Name field, type rule_list_10.10.10.0_24.
  4. Click Finished.
  5. In the Rule Lists screen, click rule_list_10.10.10.0_24.
  6. At the far right, click Add.
  7. For Name, type allow_10.10.10.0_24.
  8. From the State list, select Scheduled.
  9. From the Schedule list, select web_allow_6am-10pm.
  10. From the Protocol list, select TCP.
  11. From the Source setting Address/Region list, select Specify.
  12. Click Address List .
  13. Select 10.10.10.0_24 from the list and click Add.
    The AFM system pre-pends the system partition to the name.
  14. From the Logging list, select Enabled.
  15. Click Finished.
The new rule list appears in the Rule Lists screen.
Next, add the rule list to a new firewall policy.

Create the firewall policy

You can create a Network Firewall policy containing one or more firewall rule lists. The firewall policy will be applied to a virtual server in the final task. This task shows how to create a firewall policy that contains a single rule list.
  1. On the Main tab, click Security > Network Firewall > Policies .
  2. To the far right, click Create.
  3. In the Name field type web_allow_policy.
  4. Click Finished.
  5. In the Policies list, click web_allow_policy.
  6. At the far right, click Add Rule List.
  7. In the rules list, in the Name field, type rule_list_10.10.10.0_24.
    The AFM system pre-pends the system partition to the name.
  8. Click Done Editing.
  9. At the top of the page, click Commit Changes to System.
The new firewall policy appears in the Policies list.
New policies do not take affect until they are applied to a context. So next, you apply the firewall policy to a virtual server context.

Apply the firewall policy

Before you can apply a firewall policy, you must have a virtual server configured on the BIG-IP AFM system.
You can apply Network Firewall policies globally, to route domains, virtual servers, and Self IP addresses. This task shows how to apply the firewall policy to a virtual server context.
  1. On the Main tab, click Local Traffic > Virtual Servers > Virtual Server List .
  2. Under Name, click the name of the virtual server.
  3. At the top of the page, from Security, select Policies.
  4. For the Network Firewall setting Enforcement list, select Enabled.
    The Stagingoption allows you to reference a network firewall policy and log firewall rule matching events without actually affecting client connectivity.
  5. From the Policy list, select the name of the network firewall policy. For this task, select web_allow_policy.
You have now associated the new Network Firewall policy with the virtual server allowing clients in the 10.10.10.0/24 subnet to access resources between 6 A.M. and 10 PM., Monday through Friday.