Network Security

This section contains declarations that use F5’s network security and firewall features.

Use the index on the right to locate specific examples.

Note

As of AS3 3.10.0, if the Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.

1: Using Firewall Rules, Policies, and logging

This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center.

Important

To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.

In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.

The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Schema Reference for usage options for your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_01.
  • A virtual server named serviceMain.
  • A pool named ex_pool monitored by the default gateway_icmp health monitor.
  • A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
  • A firewall policy named fwPolicy which references the firewall rule lists.
  • A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "firewall",
        "label": "Sample Network Security 1",
        "remark": "Firewall policy, rule, and logging example",
        "controls": {
        "trace": true
        },
        "Sample_net_sec_01": {
            "class": "Tenant",
            "fwFastL4": {
                "fwAllowedAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "10.0.0.0/8",
                        "172.20.0.0/16",
                        "192.168.0.0/16"
                    ]
                },
                "fwLogDestinationSyslog": {
                    "class": "Log_Destination",
                    "type": "remote-syslog",
                    "remoteHighSpeedLog": {
                        "use": "fwLogDestinationHsl"
                    },
                    "format": "rfc5424"
                },
                "fwLogDestinationHsl": {
                    "class": "Log_Destination",
                    "type": "remote-high-speed-log",
                    "protocol": "tcp",
                    "pool": {
                        "use": "hsl_pool"
                    }
                },
                "fwRuleList": {
                "class": "Firewall_Rule_List",
                "rules": [
                        {
                            "protocol": "tcp",
                            "name": "tcpAllow",
                            "loggingEnabled": true,
                            "destination": {
                                "portLists": [
                                    {
                                        "use": "fwAllowedPortList"
                                    }
                                ]
                            },
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            },
                            "action": "accept"
                        },
                        {
                            "action": "accept",
                            "loggingEnabled": true,
                            "protocol": "udp",
                            "name": "udpAllow",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            }
                        },
                        {
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any",
                            "name": "defaultDeny",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwDefaultDenyAddressList"
                                    }
                                ]
                            }
                        }
                    ]
                },
                "hsl_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.120.6"
                            ],
                            "enable": true,
                            "servicePort": 514
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/tcp"
                        }
                    ]
                },
                "fwAllowedPortList": {
                    "class": "Firewall_Port_List",
                    "ports": [
                        22,
                        53,
                        80,
                        443,
                        "8080-8081"
                    ]
                },
                "fwSecurityLogProfile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "fwLogPublisher"
                        },
                        "storageFormat": {
                            "fields": [
                                "action",
                                "dest-ip",
                                "dest-port",
                                "src-ip",
                                "src-port"
                            ]
                        },
                        "logTranslationFields": true,
                        "logTcpEvents": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logIpErrors": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchAccepts": true
                    }
                },
                "class": "Application",
                "fwDefaultDenyAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "0.0.0.0/0"
                    ]
                },
                "fwPolicy": {
                    "rules": [
                        {
                            "use": "fwRuleList"
                        }
                    ],
                    "class": "Firewall_Policy"
                },
                "ex_L4_Profile": {
                    "class": "L4_Profile"
                },
                "template": "l4",
                "ex_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.31.3"
                            ],
                            "enable": true,
                            "servicePort": 0
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/gateway_icmp"
                        }
                    ]
                },
                "serviceMain": {
                    "translateServerAddress": false,
                    "securityLogProfiles": [
                        {
                            "use": "fwSecurityLogProfile"
                        }
                    ],
                    "virtualAddresses": [
                        "0.0.0.0"
                    ],
                    "policyFirewallEnforced": {
                        "use": "fwPolicy"
                    },
                    "translateServerPort": false,
                    "profileL4": {
                        "use": "ex_L4_Profile"
                    },
                    "virtualPort": 0,
                    "snat": "none",
                    "class": "Service_L4",
                    "pool": "ex_pool"
                },
                "fwLogPublisher": {
                    "class": "Log_Publisher",
                    "destinations": [
                        {
                            "use": "fwLogDestinationSyslog"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

2: Using Firewall (Carrier Grade) NAT features in a declaration

This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in an AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Schema Reference for usage options for using these features in your AS3 declarations.

New in AS3 v3.15.0
In AS3 3.15.0, you have the ability to reference a security logging profile from a NAT rule. The example below has been updated with the new lines highlighted in yellow. For more information on usage, see NAT_Rule in the schema reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_02.
  • A Fast L4 virtual server named serviceMain.
  • A NAT Policy.
  • A NAT Source Address Translation object
  • Port and destination address lists (Firewall Address lists).
{
    "class": "ADC",
    "id": "cgnat",
    "label": "Sample Network Security 2",
    "remark": "08",
    "schemaVersion": "3.0.0",
    "Sample_net_sec_02": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4": "any",
                "policyNAT": {
                    "use": "natPolicy"
                },
                "snat": "none",
                "translateServerAddress": false,
                "translateServerPort": false,
                "virtualAddresses": [
                    "0.0.0.0"
                ],
                "virtualPort": 0
            },
            "natDestinationAddressList": {
                "addresses": [
                    "0.0.0.0/0"
                ],
                "class": "Firewall_Address_List"
            },
            "natDestinationPortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natPolicy": {
                "class": "NAT_Policy",
                "rules": [
                    {
                        "destination": {
                            "addressLists": [
                                {
                                    "use": "natDestinationAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natDestinationPortList"
                                }
                            ]
                        },
                        "name": "rule1",
                        "protocol": "tcp",
                        "source": {
                            "addressLists": [
                                {
                                    "use": "natSourceAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natSourcePortList"
                                }
                            ]
                        },
                        "sourceTranslation": {
                            "use": "natSourceTranslation"
                        },
                        "securityLogProfile": {
                            "use": "secLogProfile"
                        }
                    }
                ]
            },
            "natSourceAddressList": {
                "addresses": [
                    "192.168.0.0/16"
                ],
                "class": "Firewall_Address_List"
            },
            "natSourcePortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natSourceTranslation": {
                "addresses": [
                    "192.0.2.0/25"
                ],
                "class": "NAT_Source_Translation",
                "clientConnectionLimit": 0,
                "hairpinModeEnabled": false,
                "inboundMode": "explicit",
                "mapping": {
                    "mode": "address-pooling-paired",
                    "timeout": 300
                },
                "patMode": "pba",
                "portBlockAllocation": {
                    "blockIdleTimeout": 3600,
                    "blockLifetime": 0,
                    "blockSize": 64,
                    "clientBlockLimit": 1,
                    "zombieTimeout": 0
                },
                "ports": [
                    "1-65535"
                ],
                "routeAdvertisement": false,
                "type": "dynamic-pat"
            },
            "secLogProfile": {
                "class": "Security_Log_Profile",
                "application": {
                    "storageFilter": {
                        "logicalOperation": "and",
                        "requestType": "all",
                        "responseCodes": [
                            "100",
                            "200",
                            "300",
                            "400"
                        ],
                        "protocols": [
                            "https",
                            "ws"
                        ],
                        "httpMethods": [
                            "ACL",
                            "GET",
                            "POLL",
                            "POST"
                        ],
                        "requestContains": {
                            "searchIn": "search-in-headers",
                            "value": "The header string to search for"
                        },
                        "loginResults": [
                            "login-result-successful",
                            "login-result-failed"
                        ]
                    },
                    "guaranteeLoggingEnabled": true,
                    "guaranteeResponseLoggingEnabled": true,
                    "maxHeaderSize": 200,
                    "maxQuerySize": 1040,
                    "maxRequestSize": 900,
                    "responseLogging": "all"
                }
            }
        }
    }
}

Back to top

3: Securing SSH traffic with the SSH Proxy

This example shows how you can use the Advanced Firewall Manager (AFM) SSH Proxy profile in an AS3 declaration. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications. For more information on the SSH Proxy, see SSH Proxy in the AFM documentation, and SSH_Proxy_Profile in the Schema Reference for all AS3 usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named SSH_Proxy_Profile.
  • An SSH Proxy profile named sshProxyExample with actions, rules, and authentication information.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "SSH_Proxy_Profile",
    "   ": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "sshProxyExample": {
                "class": "SSH_Proxy_Profile",
                "sshProfileDefaultActions": {
                    "name": "action",
                    "agentAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "localForwardAction": {
                        "control": "disallow",
                        "log": false
                    },
                    "otherAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "remoteForwardAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "rexecAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "scpUpAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "scpDownAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "sftpUpAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "sftpDownAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "shellAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "subSystemAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "x11ForwardAction": {
                        "control": "terminate",
                        "log": true
                    }
                },
                "sshProfileRuleSet": [
                    {
                        "name": "rule1",
                        "remark": "rule1 remark",
                        "sshProfileIdUsers": [
                            "Good Boy",
                            "Test"
                        ],
                        "sshProfileIdGroups": [
                            "Group Test",
                            "TestG"
                        ],
                        "sshProfileRuleActions": {
                            "name": "rulesAction",
                            "agentAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "localForwardAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "otherAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "remoteForwardAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "rexecAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "scpUpAction": {
                                "control": "disallow",
                                "log": true
                            },
                            "scpDownAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "sftpUpAction": {
                                "control": "disallow",
                                "log": true
                            },
                            "sftpDownAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "shellAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "subSystemAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "x11ForwardAction": {
                                "control": "terminate",
                                "log": true
                            }
                        }
                    }
                ],
                "timeout": 23,
                "sshProfileAuthInfo": [
                    {
                        "name": "authInfo1",
                        "proxyServerAuth": {
                            "privateKey": {
                                "ciphertext": "VGhpcyBpcyBhIFNFUlZFUiBwcml2YXRlIGtleQ==",
                                "ignoreChanges": true
                            },
                            "publicKey": "This is a SERVER public key"
                        },
                        "proxyClientAuth": {
                            "privateKey": {
                                "ciphertext": "VGhpcyBpcyBhIENMSUVOVCBwcml2YXRlIGtleQ==",
                                "ignoreChanges": true
                            },
                            "publicKey": "This is a CLIENT public key"
                        },
                        "realServerAuth": {
                            "publicKey": "This is a REAL SERVER public key"
                        }
                    }
                ]
            }
        }
    }
}

Back to top

4: Using reject and accept-decisively actions and VLAN source in a firewall rule

This example shows how you can use the reject and accept-decisively actions in a Firewall Rule. See the BIG-IP AFM: Network Firewall Policies and Implementations for detailed information on these actions.

  • reject
    With this action, packets that match the rule are rejected. Using reject is a more graceful way to deny packets as it sends a destination unreachable message to the source system.
  • accept-decisively
    With this action, packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. See the AFM documentation for detailed information.

New in AS3 3.15.0
Starting with AS3 3.15.0, you can use BIG-IP VLANs as sources for firewall Rules. See the highlighted lines in the following declaration. See Firewall_Rule_Source in the schema reference for usage.

See Firewall_Rule in the Schema Reference for all AS3 usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_Firewall_Rule_List.
  • A Firewall Rule list named exampleFWRuleList with two rules, one with an action of reject and one of accept-decisively.
  • The second firewall rule has been updated to use the external VLAN on the BIG-IP as the source.
{
    "class": "ADC",
    "schemaVersion": "3.13.0",
    "id": "Firewall_Rule_List",
    "Example_Firewall_Rule_List": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "exampleFWRuleList": {
                "class": "Firewall_Rule_List",
                "remark": "description",
                "rules": [
                    {
                        "remark": "description",
                        "name": "theRule1",
                        "action": "accept-decisively",
                        "protocol": "tcp",
                        "loggingEnabled": true
                    },
                    {
                        "remark": "description",
                        "name": "theRule2",
                        "action": "reject",
                        "protocol": "tcp",
                        "loggingEnabled": true,
                        "source": {
                            "vlans": [
                                {
                                    "bigip": "/Common/external"
                                }
                            ]
                        }
                    }
                ]
            }
        }
    }
}

Back to top

5: Creating Protocol Inspection profiles

This example shows how you can create BIG-IP AFM Protocol Inspection profiles in an AS3 declaration. A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax.

For detailed information, see AFM documentation, as well as Configuring protocol inspection profiles on AskF5. For AS3 usage options, see Protocol_Inspection_Profile in the Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Example_PIP.
  • A UDP virtual service named serviceMain which references the Protocol Inspection profile.
  • A Protocol Inspection profile named DNSInspectionProfile which is specific to DNS in this example.
{
    "class": "AS3",
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.17.0",
        "Example_PIP": {
            "class": "Tenant",
            "A1": {
                "class": "Application",
                "template": "udp",
                "serviceMain": {
                    "class": "Service_UDP",
                    "virtualPort": 53,
                    "virtualAddresses": [
                        "192.0.2.1"
                    ],
                    "profileProtocolInspection": {
                        "use": "DNSInspectionProfile"
                    }
                },
                "DNSInspectionProfile": {
                    "class": "Protocol_Inspection_Profile",
                    "remark": "Custom DNS Inspection Profile",
                    "collectAVRStats": true,
                    "enableComplianceChecks": true,
                    "enableSignatureChecks": true,
                    "autoAddNewInspections": true,
                    "autoPublish": true,
                    "services": [
                        {
                            "type": "dns",
                            "compliance": [
                                {
                                    "check": "dns_maximum_reply_length"
                                },
                                {
                                    "check": "dns_disallowed_query_type",
                                    "action": "accept",
                                    "log": true
                                }
                            ],
                            "signature": [
                                {
                                    "check": "dns_dns_query_amplification_attempt",
                                    "action": "reject",
                                    "log": true
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }
}

Back to top

5: Setting Maximum Bandwidth on a virtual with AFM

This example shows how you can set the maximum bandwidth on a virtual server when you are using BIG-IP AFM. This allows you to set the maximum bandwidth allowed through the virtual service, in Mbps. For more information, see the BIG-IP documentation.

For AS3 usage options, see Service_Generic or another Service object in the Schema Reference.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named AFM_Tenant.
  • A virtual server named AFMvip with maximum bandwidth set to 10 Mbps.
{
    "class": "ADC",
    "schemaVersion": "3.19.0",
    "AFM_Tenant": {
        "class": "Tenant",
        "Sample_App": {
            "class": "Application",
            "template": "generic",
            "AFMvip": {
                "class": "Service_Generic",
                "virtualPort": 8080,
                "virtualAddresses": [
                    "192.0.2.0"
                ],
                "maximumBandwidth": 10
            }
        }
    }
}

Back to top