Manual Chapter : Configuring Packet Filtering

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Configuring Packet Filtering

Overview: Setting up packet filtering

Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.

You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:

  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the Configuration utility to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility.

Note: Packet filter rules are unrelated to iRules®.

You can also configure global packet filtering that applies to all packet filter rules that you create.

Task summary

By setting up some basic IP routing and configuring packet filtering, specific hosts on the internal VLAN can connect to the internal VLAN's self IP address. These hosts can also use common Internet services such as HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the internal VLAN is rejected.

Task list

Enabling SNAT automap for internal and external VLANs

You can configure SNAT automapping on the BIG-IP system for internal and external VLANs.
  1. On the Main tab, click Local Traffic > Address Translation .
    The SNAT List screen displays a list of existing SNATs.
  2. Click Create.
  3. Name the new SNAT.
  4. From the Translation list, select Automap.
  5. For the VLAN / Tunnel List setting, in the Available field, select external and external, and using the Move button, move the VLANs to the Selected field.
  6. Click Finished.
SNAT automapping on the BIG-IP system is configured for internal and external VLANs.

Creating a default gateway pool

Create a default gateway pool for the system to use to forward traffic.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, from the Available list, select the gateway_icmp monitor, and click << to move the monitor to the Active list.
  5. Using the New Members setting, add each router that you want to include in the default gateway pool:
    1. Type the IP address of a router in the Address field.
    2. Type an asterisk * in the Service Port field, or select *All Services from the list.
    3. Click Add.
  6. Click Finished.

Creating a forwarding virtual server

A virtual server represents a destination IP address for application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting:
    1. For Type, select Network.
    2. In the Address field, type the IP address 0.0.0.0.
    3. In the Mask field, type the netmask 0.0.0.0.
  5. From the Service Port list, select *All Ports.
  6. In the Configuration area of the screen, from the Type list, select Forwarding (IP).
  7. From the Protocol list, select *All Protocols.
  8. From the VLAN/Tunnel Traffic list, select Enabled On.
  9. For the VLAN List setting, from the Available box, select internal, and click the Move button to move the VLAN name to the Selected box.

  10. In the Resources area of the screen, locate the Default Pool setting and select the pool you created previously.
  11. Click Finished.
You now have a destination IP address on the BIG-IP system for application traffic.

Enabling packet filtering on the BIG-IP system

Before creating a packet filtering rule, you must enable packet filtering.
  1. On the Main tab, click Network > Packet Filters .
    The Packet Filters screen opens.
  2. From the Packet Filtering list, select Enabled.
  3. From the Unhandled Packet Action list, select Accept.
  4. Click Update.
Packet filtering is enabled.

Creating a packet filter rule

When implementing packet filtering, you need to create a packet filter rule.
  1. On the Main tab, click Network > Packet Filters .
    The Packet Filters screen opens.
  2. Click Rules.
  3. Click Create.
  4. Name the rule.
  5. From the Order list, select First.
  6. From the Action list, select Reject.
  7. From the Apply to VLAN list, select internal.
  8. From the Logging list, select Enabled.
  9. From the Filter Expression Method list, select Enter Expression Text.
  10. In the Filter Expression field, type an expression.
    For example: not dst port 80 and not dst port 443 and not dst port 53 and no dst port 22 and not dst port 20 and not dst port 21 and not dst host <internal self IP address>
    Note: Replace <internal self IP address> with the actual self IP address of VLAN internal.
  11. Click Finished.
The packet filter rule is available.