Advanced Multi-layer Firewall Protection > Advanced Multi-Layer Firewall Protection > Module 1: F5 Multi-layer Firewall Source | Edit on
Lab 1: Pre-configured pools and virtual servers¶
A virtual server is used by BIG-IP to identify specific types of traffic. Other objects such as profiles, policies, pools and iRules are applied to the virtual server to add features and functionality. In the context of security, since BIG-IP is a default-deny device, a virtual server is necessary to accept specific types of traffic.
The pool is a logical group of hosts that is applied to and will receive traffic from a virtual server.
Firewall Rule Hierarchy¶
With the BIG-IP® Advanced Firewall Manager (AFM), you can apply network ACLs to several different contexts to configure the level of specificity of a firewall rule or policy. For example, you might make a global context rule to block ICMP ping messages, and you might make a virtual server context rule to allow only a specific network to access an application.
Context is processed in this order:
- Global
- Route domain
- Virtual server / self IP
- Management port*
- Global drop*
The firewall processes policies and rules in order, progressing from the global context, to the route domain context, and then to either the virtual server or self IP context. Management port rules are processed separately, and are not processed after previous rules. Rules can be viewed in one list, and viewed and reorganized separately within each context. You can enforce a firewall policy on any context except the management port. You can also stage a firewall policy in any context except management.
Tip
You cannot configure or change the Global Drop context. The Global Drop context is the final context for traffic. Note that even though it is a global context, it is not processed first, like the main global context, but last. If a packet matches no rule in any previous context, the Global Drop rule drops the traffic.
Inspect Application Pools¶
After connecting to the jump host via RDP, click on the Chrome shortcut on the desktop or task bar.
The BIG-IP login screen should open in the first tab. Other tabs will open with links to applications that we will test later in the lab.
Enter the credentials shown in the welcome message and click Log In.
Verify the following pools using the following tabel of pool information.
Navigate to Local Traffic > Pools > Pool List.
| Name | Health Monitor | Members | Service Port |
|---|---|---|---|
| pool_www.site1.com | http | 10.1.20.11 | 80 |
| pool_www.site2.com | http | 10.1.20.12 | 80 |
| pool_www.site3.com | http | 10.1.20.13 | 80 |
| pool_www.site4.com | http | 10.1.20.14 | 80 |
| pool_www.site5.com | http | 10.1.20.15 | 80 |
| pool_dvwa.com | tcp_half_open | 10.1.20.17 | 80 |
| IDS_pool | gateway_icmp | 10.1.20.252 |
This screenshot shows an example of the pool list in the TMUI:
Inspect Application Virtual Servers¶
This lab uses the term “internal” to refer to the network and hosts protected by the firewall. “External” refers to the network and hosts that are exposed to the public/internet. The EXT_VIP in this exercise is used to forward traffic with specific characteristics to the internal VIP’s. This is accomplished by assigning a traffic policy to the VIP. The traffic policy is described and inspected in the next section. For this class, the Wildcard Virtual servers (Blue Square status indicator) are not used.
Navigate to Local Traffic > Virtual Servers > Virtual Server List.
Inspect the Local Traffic Network Map¶
The Network Map page in the Configuration utility provides a hierarchical view of BIG-IP local traffic objects, such as virtual servers, pools, and iRules. It displays the status for each component and the relationships between components, and it provides additional component information on the accompanying panels.
Starting in BIG-IP 14.1.0, you can use the Network Map page for a variety or administrative tasks. You can view the status of the object, such as a pool member that may be marked offline, or view statistical information for the object, such as the current connection count for a virtual server. You can also view the relationship of one object to another, such as the parent-child relationship between a virtual server and a pool.
To view the network map, navigate to Local Traffic > Network Map.
Note
The virtual servers should show a green circle for status.
This completes Module 1 - Lab 1. Click Next to continue.