Manual Chapter : Deploying the BIG-IP Network Firewall in ADC Mode

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Deploying the BIG-IP Network Firewall in ADC Mode

About deploying the network firewall in ADC mode

The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs inside and outside of your network. By default, the network firewall is configured in ADC mode, which is a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.

To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:

Device and location IP address Traffic type
Externally accessible FTP server 70.168.15.104 FTP
Application virtual server 192.168.15.101 HTTP, FTP
Server on internal network 10.10.1.10 HTTP, HTTPS
Server on internal network 10.10.1.11 HTTP, HTTPS

The system does not have a separate route domain configured, however you can use Route Domain 0, which is essentially the same as a global rule.

In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:

VLAN Configuration
net_ext Enabled on 70.168.15.0/24, 192.168.15.101
net_int Includes pool members 10.10.1.10, 10.10.1.11

In addition, in this firewall configuration, there are three external networks that must be firewalled:

Network Policy
60.63.10.0/24 Allow all access
85.34.12.0/24 Deny all access
48.64.32.0/24 Allow FTP, deny HTTP and HTTPS
To set up this scenario, you configure addresses, ports, and firewall rules specific to these networks, ports, and addresses. You will also configure a firewall rule that denies all ICMP traffic, to prevent pinging of network devices.

Firewall in ADC mode configuration scenario

Network firewall ADC mode example

Configuring the Network Firewall in ADC mode

If you have changed the firewall setting to Firewall mode, you can configure the BIG-IP® Network Firewall back to ADC mode.
Note: The firewall is configured in ADC mode, by default.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Firewall Options screen opens.
  2. From the Virtual Server & Self IP Contexts list, select the default action Accept for the self IP and virtual server contexts.
  3. Click Update.
    The virtual server and self IP contexts for the firewall are changed.

Creating a VLAN for the network firewall

Create a VLAN with tagged interfaces, so that each of the specified interfaces can process traffic destined for that VLAN.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
    For purposes of this implementation, name the VLAN net_ext.
  4. For the Interfaces setting, click an interface number or trunk name from the Available list, and use the Move button to add the selected interface or trunk to the Tagged list. Repeat this step as necessary.
    You can use the same interface for other VLANs later, if you always assign the interface as a tagged interface.
  5. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  6. From the Configuration list, select Advanced.
  7. In the MTU field, retain the default number of bytes (1500).
  8. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe box.
  9. From the Auto Last Hop list, select a value.
  10. From the CMP Hash list, select a value.
  11. To enable the DAG Round Robin setting, select the check box.
  12. Click Finished.
    The screen refreshes, and displays the new VLAN from the list.
The new VLAN appears in the VLAN list.
Enable the new VLAN on both the network virtual server and the application virtual server.

Configuring an LTM virtual server with a VLAN for Network Firewall

For this implementation, at least two virtual servers and one at least one VLAN are assumed, though your configuration might be different.
You enable two virtual servers on the same VLAN to allow traffic from hosts on one virtual server to reach or pass through the other. In the Network Firewall, if you are using multiple virtual servers to allow or deny traffic to and from specific hosts behind different virtual servers, you must enable those virtual servers on the same VLAN.
Tip: By default, the virtual server is set to share traffic on All VLANs and Tunnels. This configuration will work for your VLANs, but in the firewall context specifying or limiting VLANs that can share traffic provides greater security.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  4. Click Update to save the changes.
  5. Repeat this task for all virtual servers that must share traffic over the VLAN.
The virtual servers on which you enabled the same VLAN can now pass traffic.

Adding a firewall rule to deny ICMP

Use this task to create a firewall rule at the Global context, that denies ICMP packets globally.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. From the Context list, select the Global context.
  4. In the Name field, type deny_icmp.
  5. From the Type list, select Rule.
  6. From the State list, select Enabled.
  7. From the Protocol list, select ICMP.
  8. In the ICMP Message area, from the Type list, select Any, and click the Add button.
    Tip: You can optionally deny only ICMP ping requests, by selecting Echo (8) from the Type list, and clicking Add.
  9. Leave the Source area configured to allow Any address, port, and VLAN.
  10. Leave the Destination area configured to allow Any address or port.
  11. From the Action list, select Drop or Reject.
    These options either drop ICMP packets from any source and port to any port and address, or send a reject message and reset the the connection.
  12. From the Logging list, enable or disable logging for the firewall rule.
  13. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the firewall rule list. This firewall rule denies all access to and from all sources and destinations on the ICMP protocol.

Creating an address list

Use this procedure to specify the address list to apply to allow access to specific source addresses.
  1. On the Main tab, click Security > Network Firewall > Address Lists .
    The Address Lists screen opens.
  2. Click Create to create a new address list.
  3. In the name field, type ADDR_LIST1.
  4. In the Addresses area, add the following addresses: 48.63.32.0/24 and 60.63.10.0/24. Click Add after you type each address.
  5. Click Finished.
    The list screen and the new item are displayed.

Denying access with firewall rules on the network virtual server

The firewall rules in this example apply in the virtual server context. For purposes of this example, the external network-facing virtual server has an IP address of 70.168.15.0/24. The network virtual server is configured with a pool that includes a publically accessible FTP server at 70.168.15.104, and an application virtual server at 192.168.15.101.
Use this task to create a firewall rule that allows all traffic from the networks on the address list ADDR_LIST1, and another firewall rule that denies all traffic. This serves the purpose of allowing all traffic from the networks that are allowed access, and denying all other traffic.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. Select the Virtual Server context, then select the external network virtual server (in this example, 70.168.15.0/24).
  4. In the Name field, type allow_addr_list.
  5. From the Type list, select Rule.
  6. From the State list, select Enabled.
  7. From the Protocol list, select Any.
  8. In the Source area, from the Address list, select List.
  9. From the Source Available list, select ADDR_LIST1, then click the << button to move ADDR_LIST1 to the Selected list.
  10. Leave the Destination area configured with the default Any / Any settings.
  11. From the Action list, select Accept.
    This allows packets from any source on the list to the any destination and port on any protocol on the DMZ network.
  12. From the Logging list, enable or disable logging for the firewall rule.
  13. Click the Repeat button.
    The rule is saved, and a new rule creation page opens, with the same information, so you can create a similar rule.
  14. In the Name field, type deny_all.
  15. In the Source area, in the Address list, select Any.
  16. Leave the Destination area configured to deny access to Any address or port.
  17. From the Action list, select Reject.
    This creates a deny all rule for the virtual server.
  18. From the Logging list, enable or disable logging for the firewall rule.
  19. Click Finished.
    The list screen and the new item are displayed.
  20. From the Context list, select Virtual Server.
  21. From the Virtual Server list, select the network virtual server.
  22. Click the Filter button.
The list screen opens, and all firewall rules that apply to the virtual server are displayed.

Denying access with firewall rules on the application virtual server

The firewall rules in this example apply in the virtual server context. For purposes of this example, the application virtual server on the internal network has an IP address of 192.168.15.101, and is configured to load balance traffic to servers 10.10.1.10 and 10.10.1.11 on ports 80 and 443.
Use this task to create a firewall rule that denies all traffic from the network 48.64.32.0/24 to the internal application servers behind the virtual server 192.168.15.101.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. Select the Virtual Server context, then select the application virtual server (in this example, 192.168.15.101).
  4. In the Name field, type deny_network_48
  5. From the Type list, select Rule.
  6. From the State list, select Enabled.
  7. From the Schedule list, select None.
  8. From the Protocol list, select Any.
  9. In the Source area, from the Address list, select Specify.
  10. In the address field, type 48.64.32.0/24.
  11. Leave the Destination area configured to deny access to Any address or port.
  12. From the Action list, select Drop or Reject.
    This drops packets from the 48.64.32.0 network to any source.
  13. From the Logging list, enable or disable logging for the firewall rule.
  14. Click Finished.
    The list screen and the new item are displayed.
  15. From the Context list, select Virtual Server.
  16. From the Virtual Server list, select the application virtual server.
  17. Click the Filter button.
The firewall rules are created, and are displayed on the list screen for the application virtual server.