Applies To:
Show VersionsBIG-IP AFM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Deploying the BIG-IP Network Firewall in ADC Mode
About deploying the network firewall in ADC mode
The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs inside and outside of your network. By default, the network firewall is configured in ADC mode, which is a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:
Device and location | IP address | Traffic type |
---|---|---|
Externally accessible FTP server | 70.168.15.104 | FTP |
Application virtual server | 192.168.15.101 | HTTP, FTP |
Server on internal network | 10.10.1.10 | HTTP, HTTPS |
Server on internal network | 10.10.1.11 | HTTP, HTTPS |
The system does not have a separate route domain configured, however you can use Route Domain 0, which is essentially the same as a global rule.
In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:
VLAN | Configuration |
---|---|
net_ext | Enabled on 70.168.15.0/24, 192.168.15.101 |
net_int | Includes pool members 10.10.1.10, 10.10.1.11 |
In addition, in this firewall configuration, there are three external networks that must be firewalled:
Network | Policy |
---|---|
60.63.10.0/24 | Allow all access |
85.34.12.0/24 | Deny all access |
48.64.32.0/24 | Allow FTP, deny HTTP and HTTPS |
Firewall in ADC mode configuration scenario
Special IPv6 pool considerations with ADC mode
- State: Enabled
- Protocol: ICMPv6 (58)
- Type: Neighbor Advertisement (136)
- Source Address: any affected pool members
- Destination Address: the BIG-IP address, or Any
- Action: Accept
- All other values can be left at their defaults, except the rule name.
Such a rule allows ICMPv6 pools to function, when a rule that denies all traffic is added at the end of the rule list in an ADC mode configuration.