Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
Deploying AFM in Firewall Mode
Deploying AFM in firewall mode
By default, AFM firewall is configured in ADC mode, which is a default allow configuration. In Firewall mode, all traffic is blocked at the firewall, and any traffic you want to allow must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:
Device and location | IP address |
---|---|
Network virtual server | 70.168.15..0/24 |
Application virtual server | 192.168.15.101 |
In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:
VLAN | Configuration |
---|---|
net_ext | Enabled on 70.168.15.0/24, 192.168.15.101 |
net_int | Includes pool members 10.10.1.10, 10.10.1.11 |
In addition, in this firewall configuration, there are three external networks that must be firewalled:
Network | Policy |
---|---|
60.63.10.0/24 | Allow all access |
48.64.32.0/24 | Allow all access |
85.34.12.0/24 | Deny all access |
Firewall configuration scenario
Configure AFM to use firewall mode
- On the Main tab, click .
-
From the Virtual Server & Self IP
Contexts list, select the default action for the self IP and
virtual server contexts.
- Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
-
From the Global Context list, select the default action for the global rule context.
- Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
- Click Update.
Creating a VLAN for the network firewall
Configuring an LTM virtual server with a VLAN for Network Firewall
Creating address lists
- On the Main tab, click .
- Click Create.
- In the name field, type addr_list1.
- In the Addresses area, add the following addresses: 48.63.32.0/24 and 60.63.10.0/24. Click Add after you type each address.
- Click Repeat.
- In the name field, type addr_list2.
- In the Addresses area, add the following address: 85.34.12.0/24.
- Click Add.
- Click Finished.
Creating firewall rule lists
Adding the firewall rules to the list
Creating firewall policies
Activating the rule list in the policy
Associating the firewall policies with the virtual servers
- On the Main tab, click .
- Click the name of the virtual server with Destination IP address 70.186.15.0/24.
- Click at the top of the page.
- Change Network Firewall Enforcement to Enabled.
- From the Policy list, select network_virtual_policy.
- Click Update.
- Click Virtual Servers : Virtual Server List at the top of the page.
- Click the name of the virtual server with Destination IP address 192.168.15.101.
- Click at the top of the page.
- Change Network Firewall Enforcement to Enabled.
- From the Policy list, select app_virtual_policy.
- Click Update.