Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
AFM Network Firewall
Overview: Default traffic processing
BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be default deny. This means that when no traffic processing objects are configured, for example a virtual server and a pool, the BIG-IP system will not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
- ADC (Accept)
- Allow all traffic. Firewall rules must be applied to restrict access.
- Firewall (Reject / Drop)
- Allow no traffic. Firewall rules must be applied to allow access.
- Accept
- Allow packets that do not match a restrictive firewall rule. This is the default mode.
- Reject
- Reject packets that do not match an acceptance firewall rule. This mode sends an ICMP destination unreachable packet to the remote client.
- Drop
- Drop packets that do not match an acceptance firewall rule. This mode will cause the remote client to continue the connection attempt until the retry period has expired.
Overview: AFM Network Firewall policies and rules
BIG-IP AFM Network Firewall policies contain ordered lists of industry standard firewall rules. Network Firewall policies control network access to your data center using criteria such as IP address, service port, time of day, and day of week. You can also apply iRules to extend firewall rule logic, and enable logging to capture firewall events.
Because AFM Network Firewall policies can be applied to a variety of different contexts and may at times overlap, it is important to understand the order of processing for each context.
Order processed | Firewall context | Description |
---|---|---|
First | Global | Applies to all traffic being processed. |
Second | Route Domain | Applies to a specific route domain. |
Third | Virtual Server/Self IP | Applies to a virtual server or Self IP address. |
Independent | Management Port | Applied to the BIG-IP system management port. |
AFM Network Firewall processes policies in order, progressing from the global to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port, where firewall rules are applied directly.
Creating an AFM Network Firewall policy
With BIG-IP AFM Network Firewall, you can create granular firewall policies using industry standard firewall rules. For example, clients from specific source IP address subnets can be granted access to specific destination IP addresses and service ports during specified hours and days of the week.
In the following scenario, the AFM Network Firewall mode is changed from ADC to firewall and a new firewall policy is created. The policy permits access to clients from the 10.10.10.0/24 subnet between 6 A.M. and 10 P.M., Monday through Friday. The new firewall policy will be applied to the virtual server context.
Task list
- Change the AFM mode.
- Create the firewall schedule.
- Create the address list.
- Create the rule list.
- Create the firewall policy.
- Apply the firewall policy.