Network Security

This section contains declarations that use F5’s network security and firewall features.

Use the index under Current Page on the left to locate specific examples.

Note

As of AS3 3.10.0, if the Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.

1: Using Firewall Rules, Policies, and logging

This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center. To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.

In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.

The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Schema Reference for usage options for your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_01.
  • A virtual server named serviceMain.
  • A pool named ex_pool monitored by the default gateway_icmp health monitor.
  • A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
  • A firewall policy named fwPolicy which references the firewall rule lists.
  • A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "firewall",
        "label": "Sample Network Security 1",
        "remark": "Firewall policy, rule, and logging example",
        "controls": {
        "trace": true
        },
        "Sample_net_sec_01": {
            "class": "Tenant",
            "fwFastL4": {
                "fwAllowedAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "10.0.0.0/8",
                        "172.20.0.0/16",
                        "192.168.0.0/16"
                    ]
                },
                "fwLogDestinationSyslog": {
                    "class": "Log_Destination",
                    "type": "remote-syslog",
                    "remoteHighSpeedLog": {
                        "use": "fwLogDestinationHsl"
                    },
                    "format": "rfc5424"
                },
                "fwLogDestinationHsl": {
                    "class": "Log_Destination",
                    "type": "remote-high-speed-log",
                    "protocol": "tcp",
                    "pool": {
                        "use": "hsl_pool"
                    }
                },
                "fwRuleList": {
                "class": "Firewall_Rule_List",
                "rules": [
                        {
                            "protocol": "tcp",
                            "name": "tcpAllow",
                            "loggingEnabled": true,
                            "destination": {
                                "portLists": [
                                    {
                                        "use": "fwAllowedPortList"
                                    }
                                ]
                            },
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            },
                            "action": "accept"
                        },
                        {
                            "action": "accept",
                            "loggingEnabled": true,
                            "protocol": "udp",
                            "name": "udpAllow",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            }
                        },
                        {
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any",
                            "name": "defaultDeny",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwDefaultDenyAddressList"
                                    }
                                ]
                            }
                        }
                    ]
                },
                "hsl_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.120.6"
                            ],
                            "enable": true,
                            "servicePort": 514
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/tcp"
                        }
                    ]
                },
                "fwAllowedPortList": {
                    "class": "Firewall_Port_List",
                    "ports": [
                        22,
                        53,
                        80,
                        443,
                        "8080-8081"
                    ]
                },
                "fwSecurityLogProfile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "fwLogPublisher"
                        },
                        "storageFormat": {
                            "fields": [
                                "action",
                                "dest-ip",
                                "dest-port",
                                "src-ip",
                                "src-port"
                            ]
                        },
                        "logTranslationFields": true,
                        "logTcpEvents": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logIpErrors": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchAccepts": true
                    }
                },
                "class": "Application",
                "fwDefaultDenyAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "0.0.0.0/0"
                    ]
                },
                "fwPolicy": {
                    "rules": [
                        {
                            "use": "fwRuleList"
                        }
                    ],
                    "class": "Firewall_Policy"
                },
                "ex_L4_Profile": {
                    "class": "L4_Profile"
                },
                "template": "l4",
                "ex_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.31.3"
                            ],
                            "enable": true,
                            "servicePort": 0
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/gateway_icmp"
                        }
                    ]
                },
                "serviceMain": {
                    "translateServerAddress": false,
                    "securityLogProfiles": [
                        {
                            "use": "fwSecurityLogProfile"
                        }
                    ],
                    "virtualAddresses": [
                        "0.0.0.0"
                    ],
                    "policyFirewallEnforced": {
                        "use": "fwPolicy"
                    },
                    "translateServerPort": false,
                    "profileL4": {
                        "use": "ex_L4_Profile"
                    },
                    "virtualPort": 0,
                    "snat": "none",
                    "class": "Service_L4",
                    "pool": "ex_pool"
                },
                "fwLogPublisher": {
                    "class": "Log_Publisher",
                    "destinations": [
                        {
                            "use": "fwLogDestinationSyslog"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

2: Using Firewall (Carrier Grade) NAT features in a declaration

This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in an AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_02.
  • A Fast L4 virtual server named serviceMain.
  • A NAT Policy.
  • A NAT Source Address Translation object
  • Port and destination address lists (Firewall Address lists).
{
    "class": "ADC",
    "id": "cgnat",
    "label": "Sample Network Security 2",
    "remark": "08",
    "schemaVersion": "3.0.0",
    "Sample_net_sec_02": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4": "any",
                "policyNAT": {
                    "use": "natPolicy"
                },
                "snat": "none",
                "translateServerAddress": false,
                "translateServerPort": false,
                "virtualAddresses": [
                    "0.0.0.0"
                ],
                "virtualPort": 0
            },
            "natDestinationAddressList": {
                "addresses": [
                    "0.0.0.0/0"
                ],
                "class": "Firewall_Address_List"
            },
            "natDestinationPortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natPolicy": {
                "class": "NAT_Policy",
                "rules": [
                    {
                        "destination": {
                            "addressLists": [
                                {
                                    "use": "natDestinationAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natDestinationPortList"
                                }
                            ]
                        },
                        "name": "rule1",
                        "protocol": "tcp",
                        "source": {
                            "addressLists": [
                                {
                                    "use": "natSourceAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natSourcePortList"
                                }
                            ]
                        },
                        "sourceTranslation": {
                            "use": "natSourceTranslation"
                        }
                    }
                ]
            },
            "natSourceAddressList": {
                "addresses": [
                    "192.168.0.0/16"
                ],
                "class": "Firewall_Address_List"
            },
            "natSourcePortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natSourceTranslation": {
                "addresses": [
                    "192.0.2.0/25"
                ],
                "class": "NAT_Source_Translation",
                "clientConnectionLimit": 0,
                "hairpinModeEnabled": false,
                "inboundMode": "explicit",
                "mapping": {
                    "mode": "address-pooling-paired",
                    "timeout": 300
                },
                "patMode": "pba",
                "portBlockAllocation": {
                    "blockIdleTimeout": 3600,
                    "blockLifetime": 0,
                    "blockSize": 64,
                    "clientBlockLimit": 1,
                    "zombieTimeout": 0
                },
                "ports": [
                    "1-65535"
                ],
                "routeAdvertisement": false,
                "type": "dynamic-pat"
            }
        }
    }
}

Back to top

3: Securing SSH traffic with the SSH Proxy

This example shows how you can use the Advanced Firewall Manager (AFM) SSH Proxy profile in an AS3 declaration. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications. For more information on the SSH Proxy, see SSH Proxy in the AFM documentation, and SSH_Proxy_Profile in the Schema Reference for all AS3 usage options.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named SSH_Proxy_Profile.
  • An SSH Proxy profile named sshProxyExample with actions, rules, and authentication information.
{
    "class": "ADC",
    "schemaVersion": "3.10.0",
    "id": "SSH_Proxy_Profile",
    "   ": {
        "class": "Tenant",
        "Application": {
            "class": "Application",
            "template": "generic",
            "sshProxyExample": {
                "class": "SSH_Proxy_Profile",
                "sshProfileDefaultActions": {
                    "name": "action",
                    "agentAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "localForwardAction": {
                        "control": "disallow",
                        "log": false
                    },
                    "otherAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "remoteForwardAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "rexecAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "scpUpAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "scpDownAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "sftpUpAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "sftpDownAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "shellAction": {
                        "control": "disallow",
                        "log": true
                    },
                    "subSystemAction": {
                        "control": "terminate",
                        "log": true
                    },
                    "x11ForwardAction": {
                        "control": "terminate",
                        "log": true
                    }
                },
                "sshProfileRuleSet": [
                    {
                        "name": "rule1",
                        "remark": "rule1 remark",
                        "sshProfileIdUsers": [
                            "Good Boy",
                            "Test"
                        ],
                        "sshProfileIdGroups": [
                            "Group Test",
                            "TestG"
                        ],
                        "sshProfileRuleActions": {
                            "name": "rulesAction",
                            "agentAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "localForwardAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "otherAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "remoteForwardAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "rexecAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "scpUpAction": {
                                "control": "disallow",
                                "log": true
                            },
                            "scpDownAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "sftpUpAction": {
                                "control": "disallow",
                                "log": true
                            },
                            "sftpDownAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "shellAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "subSystemAction": {
                                "control": "terminate",
                                "log": true
                            },
                            "x11ForwardAction": {
                                "control": "terminate",
                                "log": true
                            }
                        }
                    }
                ],
                "timeout": 23,
                "sshProfileAuthInfo": [
                    {
                        "name": "authInfo1",
                        "proxyServerAuth": {
                            "privateKey": {
                                "ciphertext": "VGhpcyBpcyBhIFNFUlZFUiBwcml2YXRlIGtleQ==",
                                "ignoreChanges": true
                            },
                            "publicKey": "This is a SERVER public key"
                        },
                        "proxyClientAuth": {
                            "privateKey": {
                                "ciphertext": "VGhpcyBpcyBhIENMSUVOVCBwcml2YXRlIGtleQ==",
                                "ignoreChanges": true
                            },
                            "publicKey": "This is a CLIENT public key"
                        },
                        "realServerAuth": {
                            "publicKey": "This is a REAL SERVER public key"
                        }
                    }
                ]
            }
        }
    }
}

Back to top