Network Security¶
This section contains declarations that use F5’s network security and firewall features.
Use the index on the right to locate specific examples.
Note
As of AS3 3.10.0, if the Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.
Important
Most of the example declarations have been updated in the documentation for AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Using Firewall Rules, Policies, and logging¶
This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center.
Important
To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.
In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.
The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Schema Reference for usage options for your AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_net_sec_01.
- A virtual server named service.
- A pool named ex_pool monitored by the default gateway_icmp health monitor.
- A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
- A firewall policy named fwPolicy which references the firewall rule lists.
- A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "firewall",
"label": "Sample Network Security 1",
"remark": "Firewall policy, rule, and logging example",
"controls": {
"trace": true
},
"Sample_net_sec_01": {
"class": "Tenant",
"fwFastL4": {
"class": "Application",
"fwAllowedAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.0/8",
"172.20.0.0/16",
"192.168.0.0/16"
]
},
"fwLogDestinationSyslog": {
"class": "Log_Destination",
"type": "remote-syslog",
"remoteHighSpeedLog": {
"use": "fwLogDestinationHsl"
},
"format": "rfc5424"
},
"fwLogDestinationHsl": {
"class": "Log_Destination",
"type": "remote-high-speed-log",
"protocol": "tcp",
"pool": {
"use": "hsl_pool"
}
},
"fwRuleList": {
"class": "Firewall_Rule_List",
"rules": [
{
"protocol": "tcp",
"name": "tcpAllow",
"loggingEnabled": true,
"destination": {
"portLists": [
{
"use": "fwAllowedPortList"
}
]
},
"source": {
"addressLists": [
{
"use": "fwAllowedAddressList"
}
]
},
"action": "accept"
},
{
"action": "accept",
"loggingEnabled": true,
"protocol": "udp",
"name": "udpAllow",
"source": {
"addressLists": [
{
"use": "fwAllowedAddressList"
}
]
}
},
{
"action": "drop",
"loggingEnabled": true,
"protocol": "any",
"name": "defaultDeny",
"source": {
"addressLists": [
{
"use": "fwDefaultDenyAddressList"
}
]
}
}
]
},
"hsl_pool": {
"class": "Pool",
"members": [
{
"serverAddresses": [
"192.168.120.6"
],
"enable": true,
"servicePort": 514
}
],
"monitors": [
{
"bigip": "/Common/tcp"
}
]
},
"fwAllowedPortList": {
"class": "Firewall_Port_List",
"ports": [
22,
53,
80,
443,
"8080-8081"
]
},
"fwSecurityLogProfile": {
"class": "Security_Log_Profile",
"network": {
"publisher": {
"use": "fwLogPublisher"
},
"storageFormat": {
"fields": [
"action",
"dest-ip",
"dest-port",
"src-ip",
"src-port"
]
},
"logTranslationFields": true,
"logTcpEvents": true,
"logRuleMatchRejects": true,
"logTcpErrors": true,
"logIpErrors": true,
"logRuleMatchDrops": true,
"logRuleMatchAccepts": true
}
},
"fwDefaultDenyAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"0.0.0.0/0"
]
},
"fwPolicy": {
"rules": [
{
"use": "fwRuleList"
}
],
"class": "Firewall_Policy"
},
"ex_L4_Profile": {
"class": "L4_Profile"
},
"ex_pool": {
"class": "Pool",
"members": [
{
"serverAddresses": [
"192.168.31.3"
],
"enable": true,
"servicePort": 0
}
],
"monitors": [
{
"bigip": "/Common/gateway_icmp"
}
]
},
"service": {
"translateServerAddress": false,
"securityLogProfiles": [
{
"use": "fwSecurityLogProfile"
}
],
"virtualAddresses": [
"0.0.0.0"
],
"policyFirewallEnforced": {
"use": "fwPolicy"
},
"translateServerPort": false,
"profileL4": {
"use": "ex_L4_Profile"
},
"virtualPort": 0,
"snat": "none",
"class": "Service_L4",
"pool": "ex_pool"
},
"fwLogPublisher": {
"class": "Log_Publisher",
"destinations": [
{
"use": "fwLogDestinationSyslog"
}
]
}
}
}
}
}
Using Firewall (Carrier Grade) NAT features in a declaration¶
This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in an AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Schema Reference for usage options for using these features in your AS3 declarations.
New in AS3 3.20
In AS3 3.20 and later, you have the ability to add addresses to exclude for NAT source translation. This allows you to specify a set of addresses excluded from the translation IP addresses available in the pool. The example below has been updated with the new lines highlighted in yellow.
Important: Because of this addition, the example declaration will fail in versions prior to 3.20.
For more information on usage, see NAT_Source_Translation in the schema reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_net_sec_02.
- A Fast L4 virtual server named service.
- A NAT Policy (the ability to reference a security logging profile from a NAT rule was added in AS3 3.15, see NAT_Rule in the Schema Reference).
- A NAT Source Address Translation object (with excludeAddress added in AS3 3.20).
- Port and destination address lists (Firewall Address lists).
{
"class": "ADC",
"id": "cgnat",
"label": "Sample Network Security 2",
"remark": "08",
"schemaVersion": "3.0.0",
"Sample_net_sec_02": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_L4",
"layer4": "any",
"policyNAT": {
"use": "natPolicy"
},
"snat": "none",
"translateServerAddress": false,
"translateServerPort": false,
"virtualAddresses": [
"0.0.0.0"
],
"virtualPort": 0
},
"natDestinationAddressList": {
"addresses": [
"0.0.0.0/0"
],
"class": "Firewall_Address_List"
},
"natDestinationPortList": {
"class": "Firewall_Port_List",
"ports": [
"1-65535"
]
},
"natPolicy": {
"class": "NAT_Policy",
"rules": [
{
"destination": {
"addressLists": [
{
"use": "natDestinationAddressList"
}
],
"portLists": [
{
"use": "natDestinationPortList"
}
]
},
"name": "rule1",
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "natSourceAddressList"
}
],
"portLists": [
{
"use": "natSourcePortList"
}
]
},
"sourceTranslation": {
"use": "natSourceTranslation"
},
"securityLogProfile": {
"use": "secLogProfile"
}
}
]
},
"natSourceAddressList": {
"addresses": [
"192.168.0.0/16"
],
"class": "Firewall_Address_List"
},
"natSourcePortList": {
"class": "Firewall_Port_List",
"ports": [
"1-65535"
]
},
"natSourceExcludeAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"192.0.2.50"
]
},
"natSourceTranslation": {
"addresses": [
"192.0.2.0/25"
],
"class": "NAT_Source_Translation",
"clientConnectionLimit": 0,
"hairpinModeEnabled": false,
"inboundMode": "explicit",
"mapping": {
"mode": "address-pooling-paired",
"timeout": 300
},
"patMode": "pba",
"portBlockAllocation": {
"blockIdleTimeout": 3600,
"blockLifetime": 0,
"blockSize": 64,
"clientBlockLimit": 1,
"zombieTimeout": 0
},
"ports": [
"1-65535"
],
"routeAdvertisement": false,
"type": "dynamic-pat",
"excludeAddresses": [
"192.0.2.10",
"192.0.2.20-192.0.2.30",
{"use": "natSourceExcludeAddressList"}
]
},
"secLogProfile": {
"class": "Security_Log_Profile",
"application": {
"storageFilter": {
"logicalOperation": "and",
"requestType": "all",
"responseCodes": [
"100",
"200",
"300",
"400"
],
"protocols": [
"https",
"ws"
],
"httpMethods": [
"ACL",
"GET",
"POLL",
"POST"
],
"requestContains": {
"searchIn": "search-in-headers",
"value": "The header string to search for"
},
"loginResults": [
"login-result-successful",
"login-result-failed"
]
},
"guaranteeLoggingEnabled": true,
"guaranteeResponseLoggingEnabled": true,
"maxHeaderSize": 200,
"maxQuerySize": 1040,
"maxRequestSize": 900,
"responseLogging": "all"
}
}
}
}
}
Securing SSH traffic with the SSH Proxy¶
This example shows how you can use the Advanced Firewall Manager (AFM) SSH Proxy profile in an AS3 declaration. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications. For more information on the SSH Proxy, see SSH Proxy in the AFM documentation, and SSH_Proxy_Profile in the Schema Reference for all AS3 usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named SSH_Proxy_Profile.
- An SSH Proxy profile named sshProxyExample with actions, rules, and authentication information.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "SSH_Proxy_Profile",
" ": {
"class": "Tenant",
"Application": {
"class": "Application",
"sshProxyExample": {
"class": "SSH_Proxy_Profile",
"sshProfileDefaultActions": {
"name": "action",
"agentAction": {
"control": "terminate",
"log": true
},
"localForwardAction": {
"control": "disallow",
"log": false
},
"otherAction": {
"control": "terminate",
"log": true
},
"remoteForwardAction": {
"control": "terminate",
"log": true
},
"rexecAction": {
"control": "terminate",
"log": true
},
"scpUpAction": {
"control": "disallow",
"log": true
},
"scpDownAction": {
"control": "terminate",
"log": true
},
"sftpUpAction": {
"control": "disallow",
"log": true
},
"sftpDownAction": {
"control": "terminate",
"log": true
},
"shellAction": {
"control": "disallow",
"log": true
},
"subSystemAction": {
"control": "terminate",
"log": true
},
"x11ForwardAction": {
"control": "terminate",
"log": true
}
},
"sshProfileRuleSet": [
{
"name": "rule1",
"remark": "rule1 remark",
"sshProfileIdUsers": [
"Good Boy",
"Test"
],
"sshProfileIdGroups": [
"Group Test",
"TestG"
],
"sshProfileRuleActions": {
"name": "rulesAction",
"agentAction": {
"control": "terminate",
"log": true
},
"localForwardAction": {
"control": "terminate",
"log": true
},
"otherAction": {
"control": "terminate",
"log": true
},
"remoteForwardAction": {
"control": "terminate",
"log": true
},
"rexecAction": {
"control": "terminate",
"log": true
},
"scpUpAction": {
"control": "disallow",
"log": true
},
"scpDownAction": {
"control": "terminate",
"log": true
},
"sftpUpAction": {
"control": "disallow",
"log": true
},
"sftpDownAction": {
"control": "terminate",
"log": true
},
"shellAction": {
"control": "terminate",
"log": true
},
"subSystemAction": {
"control": "terminate",
"log": true
},
"x11ForwardAction": {
"control": "terminate",
"log": true
}
}
}
],
"timeout": 23,
"sshProfileAuthInfo": [
{
"name": "authInfo1",
"proxyServerAuth": {
"privateKey": {
"ciphertext": "VGhpcyBpcyBhIFNFUlZFUiBwcml2YXRlIGtleQ==",
"ignoreChanges": true
},
"publicKey": "This is a SERVER public key"
},
"proxyClientAuth": {
"privateKey": {
"ciphertext": "VGhpcyBpcyBhIENMSUVOVCBwcml2YXRlIGtleQ==",
"ignoreChanges": true
},
"publicKey": "This is a CLIENT public key"
},
"realServerAuth": {
"publicKey": "This is a REAL SERVER public key"
}
}
]
}
}
}
}
Using reject and accept-decisively actions and VLAN source in a firewall rule¶
This example shows how you can use the reject and accept-decisively actions in a Firewall Rule. See the BIG-IP AFM: Network Firewall Policies and Implementations for detailed information on these actions.
- reject
- With this action, packets that match the rule are rejected. Using reject is a more graceful way to deny packets as it sends a destination unreachable message to the source system.
- accept-decisively
- With this action, packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. See the AFM documentation for detailed information.
New in AS3 3.15.0
Starting with AS3 3.15.0, you can use BIG-IP VLANs as sources for firewall Rules. See the highlighted lines in the following declaration. See Firewall_Rule_Source in the schema reference for usage.
See Firewall_Rule in the Schema Reference for all AS3 usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_Firewall_Rule_List.
- A Firewall Rule list named exampleFWRuleList with two rules, one with an action of reject and one of accept-decisively.
- The second firewall rule has been updated to use the external VLAN on the BIG-IP as the source.
{
"class": "ADC",
"schemaVersion": "3.13.0",
"id": "Firewall_Rule_List",
"Example_Firewall_Rule_List": {
"class": "Tenant",
"Application": {
"class": "Application",
"exampleFWRuleList": {
"class": "Firewall_Rule_List",
"remark": "description",
"rules": [
{
"remark": "description",
"name": "theRule1",
"action": "accept-decisively",
"protocol": "tcp",
"loggingEnabled": true
},
{
"remark": "description",
"name": "theRule2",
"action": "reject",
"protocol": "tcp",
"loggingEnabled": true,
"source": {
"vlans": [
{
"bigip": "/Common/external"
}
]
}
}
]
}
}
}
}
Creating Protocol Inspection profiles¶
This example shows how you can create BIG-IP AFM Protocol Inspection profiles in an AS3 declaration. A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax.
For detailed information, see AFM documentation, as well as Configuring protocol inspection profiles on AskF5. For AS3 usage options, see Protocol_Inspection_Profile in the Schema Reference.
AS3 3.20 adds the value property for Protocol Inspection compliance checks. If a check accepts enumerable values, the values should be delimited by spaces. The following example has been updated to show the value property.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_PIP.
- A UDP virtual service named service which references the Protocol Inspection profile.
- A Protocol Inspection profile named DNSInspectionProfile which is specific to DNS in this example.
- Example was updated in AS3 3.20 to include the value property in the compliance check. If you are using an AS3 version prior to 3.20, this declaration will fail.
{
"class": "AS3",
"declaration": {
"class": "ADC",
"schemaVersion": "3.20.0",
"Example_PIP": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_UDP",
"virtualPort": 53,
"virtualAddresses": [
"192.0.2.1"
],
"profileProtocolInspection": {
"use": "DNSInspectionProfile"
}
},
"DNSInspectionProfile": {
"class": "Protocol_Inspection_Profile",
"remark": "Custom DNS Inspection Profile",
"collectAVRStats": true,
"enableComplianceChecks": true,
"enableSignatureChecks": true,
"autoAddNewInspections": true,
"autoPublish": true,
"services": [
{
"type": "dns",
"compliance": [
{
"check": "dns_maximum_reply_length",
"value": "1024"
},
{
"check": "dns_disallowed_query_type",
"action": "accept",
"log": true,
"value": "STATUS QUERY"
}
],
"signature": [
{
"check": "dns_dns_query_amplification_attempt",
"action": "reject",
"log": true
}
]
}
]
}
}
}
}
}
Setting Maximum Bandwidth on a virtual with AFM¶
This example shows how you can set the maximum bandwidth on a virtual server when you are using BIG-IP AFM. This allows you to set the maximum bandwidth allowed through the virtual service, in Mbps. For more information, see the BIG-IP documentation.
For AS3 usage options, see Service_Generic or another Service object in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named AFM_Tenant.
- A virtual server named AFMvip with maximum bandwidth set to 10Mbps.
{
"class": "ADC",
"schemaVersion": "3.19.0",
"AFM_Tenant": {
"class": "Tenant",
"Sample_App": {
"class": "Application",
"AFMvip": {
"class": "Service_Generic",
"virtualPort": 8080,
"virtualAddresses": [
"192.0.2.0"
],
"maximumBandwidth": 10
}
}
}
}
Creating an Idle Timeout policy in a declaration¶
This example shows how you can create Idle Timeout policy in an AS3 declaration. The Idle Timeout policy (which is attached to the virtual service as part of a Service policy) allows you to associate timeouts with specific protocols and ports. You can also reference an existing policy on the BIG-IP using the bigip pointer.
See Idle_Timeout_Policy in the schema reference for AS3 usage. For more information, see Service Policies in the BIG-IP documentation.
Note
AS3 does not support the Port Misuse policy in a Service Policy at this time.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named timeoutTenant.
- A virtual server named timeoutGeneric that references the idle timeout policy.
- A Service policy object (which AS3 creates automatically to hold the timeout policy; it is not part of the declaration) that contains the Idle Timeout policy named my_idle_timeout_policy that contains a number of rules.
{
"class": "ADC",
"schemaVersion": "3.19.0",
"id": "Idle_Timeout_Policy",
"timeoutTenant": {
"class": "Tenant",
"timeoutApp": {
"class": "Application",
"timeoutGeneric": {
"class": "Service_Generic",
"virtualPort": 8080,
"virtualAddresses": [
"192.0.2.141"
],
"policyIdleTimeout": {
"use": "my_idle_timeout_policy"
}
},
"my_idle_timeout_policy": {
"class": "Idle_Timeout_Policy",
"remark": "my policy remark",
"rules": [
{
"name": "rule1",
"remark": "tcp all ports",
"protocol": "tcp",
"destinationPorts": [
"all-other"
],
"idleTimeout": 120
},
{
"name": "rule2",
"remark": "udp port 9090",
"protocol": "udp",
"destinationPorts": [
9090
],
"idleTimeout": 300
},
{
"name": "rule3",
"remark": "all other protocols",
"protocol": "all-other",
"idleTimeout": 40
},
{
"name": "rule4",
"remark": "non port 9090 udp",
"protocol": "udp",
"destinationPorts": [
"all-other"
],
"idleTimeout": 60
}
]
}
}
}
}
Adding logging for protocol inspection events¶
This example shows how you can configure logging for protocol inspection events in a declaration. Logging is performed using a Log Publisher called from a Security Log profile. For detailed information on logging security events, see BIG-IP documentation.
For AS3 usage, see Log_Publisher and Security_Log_Profile in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Protocol_Inspection.
- A Security Log Profile named secLogProtocolInspection calls the log publisher.
- A Log Publisher named logPub references a destination on the BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "Security_Log_Profile",
"Security_Log_Protocol_Inspection": {
"class": "Tenant",
"Application": {
"class": "Application",
"secLogProtocolInspection": {
"class": "Security_Log_Profile",
"protocolInspection": {
"publisher": {
"use": "logPub"
},
"logPacketPayloadEnabled": false
}
},
"logPub": {
"class": "Log_Publisher",
"destinations": [
{
"bigip": "/Common/local-db"
}
]
}
}
}
}
Adding ports to a protocol inspection profile¶
This example shows how you can configure the ports property (introduced in AS3 3.23) in a protocol inspection profile. In prior versions of AS3, the ports property was not available.
For AS3 usage, see Protocol_Inspection_Profile_Services and Protocol_Inspection_Profile in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_PIP.
- A virtual server named service that references the protocol inspection profile.
- A protocol inspection profile, which includes the ports property.
{
"class": "AS3",
"declaration": {
"class": "ADC",
"schemaVersion": "3.23.0",
"Example_PIP": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.1"
],
"profileProtocolInspection": {
"use": "InspectionProfile"
}
},
"InspectionProfile": {
"class": "Protocol_Inspection_Profile",
"collectAVRStats": true,
"enableComplianceChecks": true,
"enableSignatureChecks": true,
"services": [
{
"type": "http",
"compliance": [
{
"check": "http_contains_colon"
}
],
"signature": [
{
"check": "http_app_detect_absolute_software_computrace_outbound_connection_bh_namequery_com"
}
],
"ports": [80, 8080]
}
]
}
}
}
}
}
Configuring a Security Logging Profile with Bot defense¶
This example shows how you can use bot defense options in a Security Logging profile in BIG-IP 14.1 and later. Note that this example does not create bot defense, but configures logging for it. Logging is performed using a Log Publisher, which is called from the Security Log profile as shown in the example.
For more information on F5 bot defense, which can prevent layer 7 DoS attacks, web scraping, and brute force attacks from starting, see the Configuring Bot Defense chapter of the ASM Implementations guide.
We strongly recommend you visit Security_Log_Profile_Bot_Defense in the Schema Reference for specific information on the bot defense properties, including minimum BIG-IP versions for some properties. Also see Security_Log_Profile in the Schema Reference.
For detailed information on logging security events, see BIG-IP documentation. See K11412315: Configuring Bot Defense logging for information on manual configuration.
This declaration creates the following objects on the BIG-IP (note the example does not create a virtual service):
- A partition (tenant) named AS3_Tenant.
- An Application named AS3_Application
- A Security Log Profile named exampleBotDefense which includes bot defense.
- Bot defense which includes a log publisher and a number of bot defense properties.
{
"class": "ADC",
"schemaVersion": "3.26.0",
"AS3_Tenant": {
"class": "Tenant",
"AS3_Application": {
"class": "Application",
"exampleBotDefense": {
"class": "Security_Log_Profile",
"botDefense": {
"localPublisher": {
"bigip": "/Common/local-db-publisher"
},
"logAlarm": true,
"logBlock": true,
"logBrowser": true,
"logBrowserVerificationAction": true,
"logCaptcha": true,
"logDeviceIdCollectionRequest": true,
"logMaliciousBot": true,
"logMobileApplication": true,
"logNone": true,
"logRateLimit": true,
"logSuspiciousBrowser": true,
"logTcpReset": true,
"logTrustedBot": true,
"logUnknown": true,
"logUntrustedBot": true,
"logHoneyPotPage": true,
"logRedirectToPool": true,
"logChallengeFailureRequest": true
}
}
}
}
}