Manual Chapter : Deploying the BIG-IP Network Firewall in Firewall Mode

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

Deploying the BIG-IP Network Firewall in Firewall Mode

About Firewall mode in the Network Firewall

The BIG-IP Advanced Firewall Manager (AFM) provides policy-based access control to and from address and port pairs, inside and outside of your network. In this scenario, the network firewall is configured in Firewall mode, a default deny configuration, in which all traffic is blocked through the firewall, and any traffic you want to allow must be explicitly specified.

To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:

Device and location IP address Traffic type
Server on DMZ network 70.168.15.104 FTP
Server on internal network 10.10.1.10 HTTP, HTTPS
Server on internal network 10.10.1.11 HTTP, HTTPS

In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:

VLAN Configuration
net_ext Enabled on 70.168.15.0/24, 192.168.15.101
net_int Includes pool members 10.10.1.10, 10.10.1.11

In addition, in this firewall configuration, there are three external networks that must be firewalled:

Network Policy
60.63.10.0/24 Allow all access
85.34.12.0/24 Deny all access
48.64.32.0/24 Allow FTP, deny HTTP and HTTPS
To set up this scenario, you configure addresses, ports, and firewall rules specific to these networks, ports, and addresses.

Firewall configuration scenario

Network firewall Firewall mode example

Configuring the Network Firewall to drop or reject traffic that is not specifically allowed

You can configure the BIG-IP Network Firewall to drop or reject all traffic not explicitly allowed. In Advanced Firewall Manager, this is called Firewall mode, and this is also referred to as a default deny policy. Firewall mode applies a default deny policy to all self IP addresses and virtual servers.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. From the Virtual Server & Self IP Contexts list, select the default action for the self IP and virtual server contexts.
    • Select Drop to silently drop all traffic to virtual servers and self IP addresses unless specifically allowed.
    • Select Reject to drop all traffic to virtual servers and self IP addresses unless specifically allowed, and to send the appropriate reject message for the protocol.
  3. Click Update.
    The default virtual server and self IP firewall context is changed.

Creating a VLAN for the network firewall

Create a VLAN with tagged interfaces, so that each of the specified interfaces can process traffic destined for that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
    For purposes of this implementation, name the VLAN net_ext.
  4. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged.
    3. Click Add.
  5. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  6. From the Configuration list, select Advanced.
  7. In the MTU field, retain the default number of bytes (1500).
  8. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  9. From the Auto Last Hop list, select a value.
  10. From the CMP Hash list, select a value.
  11. To enable the DAG Round Robin setting, select the check box.
  12. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  13. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  14. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  15. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.

Configuring an LTM virtual server with a VLAN for Network Firewall

For this implementation, at least two virtual servers and one at least one VLAN are assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to allow traffic from hosts on one virtual server to reach or pass through the other. In the Network Firewall, if you are using multiple virtual servers to allow or deny traffic to and from specific hosts behind different virtual servers, you must enable those virtual servers on the same VLAN.
Tip: By default, the virtual server is set to share traffic on All VLANs and Tunnels. This configuration will work for your VLANs, but in the firewall context specifying or limiting VLANs that can share traffic provides greater security.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  4. Click Update to save the changes.
  5. Repeat this task for all virtual servers that must share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.

Creating an address list

Use this procedure to specify the address list to apply to allow access to specific source addresses.
  1. On the Main tab, click Security > Network Firewall > Address Lists .
    The Address Lists screen opens.
  2. Click Create to create a new address list.
  3. In the name field, type ADDR_LIST1.
  4. In the Addresses area, add the following addresses: 48.63.32.0/24 and 60.63.10.0/24. Click Add after you type each address.
  5. Click Finished.
    The list screen and the new item are displayed.

Allowing access from networks on an address list with a firewall rule

The firewall rules in this example apply in the virtual server context. For purposes of this example, the external network-facing virtual server is named ex_VS and has an IP address of 70.168.15.0/24.
Create a firewall rule that allows traffic from the networks on ADDR_LIST1 to the DMZ network, which includes an FTP server that is publicly addressed, and two internal servers on a second virtual server.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. From the Context list, select Virtual Server, and then select the external virtual server (in the example, ex_VS).
  4. In the Name field, type allow_addr_list.
  5. From the Type list, select Rule.
  6. From the State list, select Enabled.
  7. From the Protocol list, select Any.
  8. In the Source area, from the Address list, select Specify, and click Address List.
  9. From the list, select /Common/ADDR_LIST1, then click Add to add ADDR_LIST1 to the list.
  10. Leave the Destination area configured with the default Any / Any settings.
  11. From the Action list, select Accept.
    This allows packets from any source on the address list to any destination and port on any protocol on the DMZ network.
  12. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  13. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the firewall rule list.

Allowing access from a network to a virtual server with a firewall rule

The firewall rules in this example apply in the virtual server context. For purposes of this example, the application virtual server is behind the network virtual server with an IP address of 192.168.15.101 and configured for traffic on ports 80 and 443.
Use this procedure to create a firewall rule that allows traffic from a specific external network to the HTTP and HTTPS servers behind an application virtual server.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. In the Context field, select Virtual Server, and select the application virtual server (in the example, 192.168.15.101.
  4. In the Name field, type allow_app_vs.
  5. From the Type list, select Rule.
  6. From the State list, select Enabled.
  7. From the Protocol list, select Any.
  8. In the Source area, from the Address list, select Specify.
  9. In the address field, type 60.63.10.0/24, then click the Add button.
  10. Leave the Destination area configured with the default Any / Any settings.
  11. From the Action list, select Accept.
    This allows packets from the specified source to any destination and port on any protocol on the internal virtual server. You could specify HTTP and HTTPS protocols, and the internal server addresses, but since these are the only addresses and protocols behind the virtual server, that level of granularity is not necessary.
  12. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  13. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the firewall rule list.