Manual Chapter : Configuring Access Control Lists

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About APM ACLs

APM® access control lists (ACLs) restrict user access to host and port combinations that are specified in access control entries (ACEs). An ACE can apply to Layer 4 (the protocol layer), Layer 7 (the application layer), or both. A Layer 4 or Layer 7 ACL is used with network access, application access, or web access connections.

About ACLs and resource assignments on a full webtop

Unlike a Network Access webtop or a Portal Access webtop, a full webtop supports all types or\f resources. For many resources, such as app tunnels, you must assign them to a policy along with a full webtop. When you assign an app tunnel or a remote desktop resource to a policy, Access Policy Manager® (APM®) assigns the allow ACLs that it created for the resource items associated with them. With an app tunnel or a remote desktop resource assigned, F5® strongly recommends that you also assign an ACL that rejects all other connections and place it last in the ACL order.

If you also add a Network Access resource to the policy, you must create and assign ACLs that allow users access to all the hosts and all parts of the web sites that you want them to access. Otherwise, the ACL that rejects all connections will stop them.

If you add a Portal Access resource to the policy, APM assigns the allow ACLs that it created for the resource items associated with the Portal Access resource. However, you must create and assign ACLs to allow access to the target of the Portal Access link, which is either a start URI or hosted content. Again, without ACLs that explicitly allow the user to connect, the ACL that rejects all connections will stop users from launching the application or the web site.

Configuring an ACL

You use access control lists (ACLs) to restrict user access to host and port combinations that you specify in access control entries (ACEs).
  1. On the Main tab, click Access > Access Control Lists .
    The ACLs screen opens.
  2. Click Create.
    The New ACL screen opens.
  3. In the Name field, type a name for the access control list.
  4. From the Type list, select Static.
  5. Optional: In the Description field, add a description of the access control list.
  6. Optional: From the ACL Order list, specify the relative order in which to add the new ACL respective to other ACLs:
    • Select After to add the ACL after a specific ACL and select the ACL.
    • Select Specify and type the specific order number.
    • Select Last to add the ACL at the last position in the list.
  7. From the Match Case for Paths list, select Yes to match case for paths, or No to ignore path case.
    This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
  8. Click the Create button.
    The ACL Properties screen opens.
  9. In the Access Control Entries area, click Add to add an entry.
    For an ACL to have an effect on traffic, you must configure at least one access control entry.
    The New Access Control Entry screen appears.
  10. From the Type list, select the layers to which the access control entry applies:
    • L4 (Layer 4)
    • L7 (Layer 7)
    • L4+L7 (Layer 4 and Layer 7)
  11. From the Action list, select the action for the access control entry:
    • Allow Permit the traffic.
    • Continue Skip checking against the remaining access control entries in this ACL and continue evaluation at the next ACL.
    • Discard Drop the packet silently.
    • Reject Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
      Note: If HTTP traffic matches a Layer 4 ACL, APM sends a TCP RST message. If traffic matches a Layer 7 ACL and is denied, APM sends the ACL Deny page.
    To create a default access control list, complete this step, then skip to the last step in this procedure.
  12. In the Source IP Address field, type the source IP address.
    This specifies the IP address to which the access control entry applies.
  13. In the Source Mask field, type the network mask for the source IP address.
    This specifies the network mask for the source IP address to which the access control entry applies.
  14. For the Source Port setting, select Port or Port Range.
    This setting specifies whether the access control entry applies to a single port or a range of ports.
  15. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
  16. In the Destination IP Address field, type the IP address to which the access control entry controls access.
  17. In the Destination Mask field, type the network mask for the destination IP address.
  18. For the Destination Ports setting, select Port or Port Range.
    This setting specifies whether the access control entry applies to a single port or a range of ports.
  19. In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control entry applies.
    To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
  20. From the Scheme list, select the URI scheme for the access control entry:
    • http
    • https
    • any
    The scheme any matches either HTTP or HTTPS traffic.
  21. In the Host Name field, type a host to which the access control entry applies.
    The Host Name field supports shell glob matching: you can use the asterisk wildcard (*) to match match zero or more characters, and the question mark wildcard (?) to match a single character.
    *.siterequest.com matches siterequest.com with any prefix, such as www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.
    n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
  22. In the Paths field, type the path or paths to which the access control entry applies.
    You can separate multiple paths with spaces, for example, /news /finance. The Paths field supports shell glob matching. You can use the wildcard characters * and question mark (?) to represent multiple or single characters, respectively. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.
  23. From the Protocol list, select the protocol to which the access control entry applies.
  24. From the Log list, select the log level for this access control entry:
    • None Log nothing.
    • Packet Log the matched packet.
    When events occur at the selected log level, the server records a log message.
  25. Click Finished.
You have configured an ACL with one access control entry. (You can configure additional entries.)
To use the ACL, assign it to a session using an Advanced Resource Assign or ACL Assign action in an access policy.

Example ACE settings: reject all connections to a network

This example access control entry (ACE) rejects all connections to a specific network at 192.168.112.0/24.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0  
Source Ports All Ports  
Destination IP address 192.168.112.0  
Destination Mask 255.255.255.0  
Destination Ports All Ports  
Protocol All Protocols  
Action Reject  

Example ACE settings: allow SSH to a specific host

This example access control entry (ACE) allows SSH connections to the internal host at 192.168.112.9.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0  
Source Ports All Ports  
Destination IP address 192.168.112.9  
Destination Mask 255.255.255.0  
Destination Ports 22 (or select SSH)  
Protocol TCP  
Action Allow  

Example ACE settings: reject all connections to specific file types

This example access control entry (ACE) rejects all connections that attempt to open files with the extensions doc, exe, and txt.

Property Value Notes
Source IP Address 0.0.0.0 If you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0
Source Mask 0.0.0.0  
Source Ports All Ports  
Destination IP address 0.0.0.0  
Destination Mask 0.0.0.0  
Destination Ports All Ports  
Scheme http  
Paths *.doc*.exe *.txt  
Protocol All Protocols  
Action Reject