Manual Chapter : Deploying AFM in Firewall Mode

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Deploying AFM in Firewall Mode

Deploying AFM in firewall mode

By default, AFM firewall is configured in ADC mode, which is a default allow configuration. In Firewall mode, all traffic is blocked at the firewall, and any traffic you want to allow must be explicitly specified.

To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:

Device and location IP address
Network virtual server 70.168.15..0/24
Application virtual server 192.168.15.101

In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:

VLAN Configuration
net_ext Enabled on 70.168.15.0/24, 192.168.15.101
net_int Includes pool members 10.10.1.10, 10.10.1.11

In addition, in this firewall configuration, there are three external networks that must be firewalled:

Network Policy
60.63.10.0/24 Allow all access
48.64.32.0/24 Allow all access
85.34.12.0/24 Deny all access
To set up this scenario, you configure addresses, ports, and firewall rules specific to these networks, ports, and addresses.

Firewall configuration scenario

Configure AFM to use firewall mode

This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
Note: ADC mode is the default mode.
  1. On the Main tab, click Security > Options > Network Firewall .
  2. From the Virtual Server & Self IP Contexts list, select the default action for the self IP and virtual server contexts.
    • Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  3. From the Global Context list, select the default action for the global rule context.
    • Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click Update.

Creating a VLAN for the network firewall

Create a VLAN with tagged interfaces, so that each of the specified interfaces can process traffic destined for that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
    For purposes of this implementation, name the VLAN net_ext.
  4. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged.
    3. Click Add.
  5. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  6. From the Configuration list, select Advanced.
  7. In the MTU field, retain the default number of bytes (1500).
  8. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  9. From the Auto Last Hop list, select a value.
  10. From the CMP Hash list, select a value.
  11. To enable the DAG Round Robin setting, select the check box.
  12. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  13. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  14. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  15. Click Finished.
    The screen refreshes, and it displays the new VLAN in the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.

Configuring an LTM virtual server with a VLAN for Network Firewall

For this implementation, at least two virtual servers and one at least one VLAN are assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to allow traffic from hosts on one virtual server to reach or pass through the other. In the Network Firewall, if you are using multiple virtual servers to allow or deny traffic to and from specific hosts behind different virtual servers, you must enable those virtual servers on the same VLAN.
Tip: By default, the virtual server is set to share traffic on All VLANs and Tunnels. This configuration will work for your VLANs, but in the firewall context specifying or limiting VLANs that can share traffic provides greater security.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  4. Click Update to save the changes.
  5. Repeat this task for all virtual servers that must share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.

Creating address lists

Use this procedure to create the address lists to be used in the firewall rules.
  1. On the Main tab, click Shared Objects > Address Lists .
  2. Click Create.
  3. In the name field, type addr_list1.
  4. In the Addresses area, add the following addresses: 48.63.32.0/24 and 60.63.10.0/24. Click Add after you type each address.
  5. Click Repeat.
  6. In the name field, type addr_list2.
  7. In the Addresses area, add the following address: 85.34.12.0/24.
  8. Click Add.
  9. Click Finished.
The list screen and new address lists are displayed

Creating firewall rule lists

Create the AFM firewall rule lists that will contain the firewall rules.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. Click the Create button to create a new rule list.
  3. In the Name field, type allow_rule_list.
  4. Click Repeat.
  5. In the Name field, type deny_rule_list.
  6. Click Finished.
The empty firewall rule list is displayed.

Adding the firewall rules to the list

Add network firewall rules to a rule list so you can collect and apply them at once in a policy. Use this task to create firewall rule list that allows traffic only from the networks in address list addr_list1 and another firewall rule list that denies traffic only in address list addr_list2.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. From the list, click allow_rule_list.
    The Rule List properties screen opens.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name field, type allow_addr_list.
  5. From the Source Address/Region list, select Specify.
  6. Click Address List and select addr_list1.
  7. Click Add.
  8. From the Action list, select Accept.
  9. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  10. Click Repeat.
  11. In the Name field, type deny_all.
  12. From the Action list, select Reject.
  13. Click Finished.
  14. Click Network Firewall : Rule Lists at the top of the page.
  15. From the list, click deny_rule_list.
    The Rule List properties screen opens.
  16. In the Rules area, click Add to add a firewall rule to the list.
  17. In the Name field, type deny_addr_list.
  18. From the Source Address/Region list, select Specify.
  19. Click Address List and select addr_list2.
  20. Click Add.
  21. From the Action list, select Reject.
  22. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  23. Click Repeat.
  24. In the Name field, type allow_all.
  25. In the Source Address/Region list, select Any.
  26. From the Action list, select Accept.
  27. Click Finished.
    The Rule List properties screen opens.
The Rule Lists screen shows the new rule in the rule list.

Creating firewall policies

Create the firewall policies to collect the rule list. The policies will later be applied to the virtual servers.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click Create to create a new policy.
  3. In the Name field, type network_virtual_policy.
  4. Click Repeat.
  5. In the Name field, type app_virtual_policy.
  6. Click Finished.
The Policies screen shows the new policy in the policy list.

Activating the rule list in the policy

The rule list is a container in which you can select and activate one of the rule lists that you created previously, or one of the predefined system rule lists, to apply a collection of rules at one time, to a policy.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the firewall policy named network_virtual_policy.
  3. Click Add Rule List.
  4. In the Name section, enter allow_rule_list in the Rule List option.
  5. Click Done Editing.
  6. Click Commit Changes to System at the top of the page.
  7. Click Policies at the top of the page.
  8. Click the firewall policy named app_virtual_policy.
  9. Click Add Rule List.
  10. In the Name section, enter deny_rule_list in the Rule List option.
  11. Click Done Editing.
  12. Click Commit Changes to System at the top of the page.
The firewall policy and rule list are activated.

Associating the firewall policies with the virtual servers

In the final steps, the firewall policies are applied to the virtual servers.
  1. On the Main tab, click Local Traffic > Virtual Servers .
  2. Click the name of the virtual server with Destination IP address 70.186.15.0/24.
  3. Click Security > Policies at the top of the page.
  4. Change Network Firewall Enforcement to Enabled.
  5. From the Policy list, select network_virtual_policy.
  6. Click Update.
  7. Click Virtual Servers : Virtual Server List at the top of the page.
  8. Click the name of the virtual server with Destination IP address 192.168.15.101.
  9. Click Security > Policies at the top of the page.
  10. Change Network Firewall Enforcement to Enabled.
  11. From the Policy list, select app_virtual_policy.
  12. Click Update.