Network Security

This section contains declarations that use F5’s network security and firewall features.

Use the index under Current Page on the left to locate specific examples.

1: Using Firewall Rules, Policies, and logging

This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3–4, stopping them before they reach your data center. To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.

In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.

The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Schema Reference for usage options for your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_01.
  • A virtual server named serviceMain.
  • A pool named ex_pool monitored by the default gateway_icmp health monitor.
  • A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
  • A firewall policy named fwPolicy which references the firewall rule lists.
  • A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "firewall",
        "label": "Sample Network Security 1",
        "remark": "Firewall policy, rule, and logging example",
        "controls": {
        "trace": true
        },
        "Sample_net_sec_01": {
            "class": "Tenant",
            "fwFastL4": {
                "fwAllowedAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "10.0.0.0/8",
                        "172.20.0.0/16",
                        "192.168.0.0/16"
                    ]
                },
                "fwLogDestinationSyslog": {
                    "class": "Log_Destination",
                    "type": "remote-syslog",
                    "remoteHighSpeedLog": {
                        "use": "fwLogDestinationHsl"
                    },
                    "format": "rfc5424"
                },
                "fwLogDestinationHsl": {
                    "class": "Log_Destination",
                    "type": "remote-high-speed-log",
                    "protocol": "tcp",
                    "pool": {
                        "use": "hsl_pool"
                    }
                },
                "fwRuleList": {
                "class": "Firewall_Rule_List",
                "rules": [
                        {
                            "protocol": "tcp",
                            "name": "tcpAllow",
                            "loggingEnabled": true,
                            "destination": {
                                "portLists": [
                                    {
                                        "use": "fwAllowedPortList"
                                    }
                                ]
                            },
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            },
                            "action": "accept"
                        },
                        {
                            "action": "accept",
                            "loggingEnabled": true,
                            "protocol": "udp",
                            "name": "udpAllow",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwAllowedAddressList"
                                    }
                                ]
                            }
                        },
                        {
                            "action": "drop",
                            "loggingEnabled": true,
                            "protocol": "any",
                            "name": "defaultDeny",
                            "source": {
                                "addressLists": [
                                    {
                                        "use": "fwDefaultDenyAddressList"
                                    }
                                ]
                            }
                        }
                    ]
                },
                "hsl_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.120.6"
                            ],
                            "enable": true,
                            "servicePort": 514
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/tcp"
                        }
                    ]
                },
                "fwAllowedPortList": {
                    "class": "Firewall_Port_List",
                    "ports": [
                        22,
                        53,
                        80,
                        443,
                        "8080-8081"
                    ]
                },
                "fwSecurityLogProfile": {
                    "class": "Security_Log_Profile",
                    "network": {
                        "publisher": {
                            "use": "fwLogPublisher"
                        },
                        "storageFormat": {
                            "fields": [
                                "action",
                                "dest-ip",
                                "dest-port",
                                "src-ip",
                                "src-port"
                            ]
                        },
                        "logTranslationFields": true,
                        "logTcpEvents": true,
                        "logRuleMatchRejects": true,
                        "logTcpErrors": true,
                        "logIpErrors": true,
                        "logRuleMatchDrops": true,
                        "logRuleMatchAccepts": true
                    }
                },
                "class": "Application",
                "fwDefaultDenyAddressList": {
                    "class": "Firewall_Address_List",
                    "addresses": [
                        "0.0.0.0/0"
                    ]
                },
                "fwPolicy": {
                    "rules": [
                        {
                            "use": "fwRuleList"
                        }
                    ],
                    "class": "Firewall_Policy"
                },
                "ex_L4_Profile": {
                    "class": "L4_Profile"
                },
                "template": "l4",
                "ex_pool": {
                    "class": "Pool",
                    "members": [
                        {
                            "serverAddresses": [
                                "192.168.31.3"
                            ],
                            "enable": true,
                            "servicePort": 0
                        }
                    ],
                    "monitors": [
                        {
                            "bigip": "/Common/gateway_icmp"
                        }
                    ]
                },
                "serviceMain": {
                    "translateServerAddress": false,
                    "securityLogProfiles": [
                        {
                            "use": "fwSecurityLogProfile"
                        }
                    ],
                    "virtualAddresses": [
                        "0.0.0.0"
                    ],
                    "policyFirewallEnforced": {
                        "use": "fwPolicy"
                    },
                    "translateServerPort": false,
                    "profileL4": {
                        "use": "ex_L4_Profile"
                    },
                    "virtualPort": 0,
                    "snat": "none",
                    "class": "Service_L4",
                    "pool": "ex_pool"
                },
                "fwLogPublisher": {
                    "class": "Log_Publisher",
                    "destinations": [
                        {
                            "use": "fwLogDestinationSyslog"
                        }
                    ]
                }
            }
        }
    }
}

Back to top

2: Using Firewall (Carrier Grade) NAT features in a declaration

This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in an AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Schema Reference for usage options for using these features in your AS3 declarations.

This declaration creates the following objects on the BIG-IP:

  • Partition (tenant) named Sample_net_sec_02.
  • A Fast L4 virtual server named serviceMain.
  • A NAT Policy.
  • A NAT Source Address Translation object
  • Port and destination address lists (Firewall Address lists).
{
    "class": "ADC",
    "id": "cgnat",
    "label": "Sample Network Security 2",
    "remark": "08",
    "schemaVersion": "3.0.0",
    "Sample_net_sec_02": {
        "class": "Tenant",
        "A1": {
            "class": "Application",
            "template": "l4",
            "serviceMain": {
                "class": "Service_L4",
                "layer4": "any",
                "policyNAT": {
                    "use": "natPolicy"
                },
                "snat": "none",
                "translateServerAddress": false,
                "translateServerPort": false,
                "virtualAddresses": [
                    "0.0.0.0"
                ],
                "virtualPort": 0
            },
            "natDestinationAddressList": {
                "addresses": [
                    "0.0.0.0/0"
                ],
                "class": "Firewall_Address_List"
            },
            "natDestinationPortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natPolicy": {
                "class": "NAT_Policy",
                "rules": [
                    {
                        "destination": {
                            "addressLists": [
                                {
                                    "use": "natDestinationAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natDestinationPortList"
                                }
                            ]
                        },
                        "name": "rule1",
                        "protocol": "tcp",
                        "source": {
                            "addressLists": [
                                {
                                    "use": "natSourceAddressList"
                                }
                            ],
                            "portLists": [
                                {
                                    "use": "natSourcePortList"
                                }
                            ]
                        },
                        "sourceTranslation": {
                            "use": "natSourceTranslation"
                        }
                    }
                ]
            },
            "natSourceAddressList": {
                "addresses": [
                    "192.168.0.0/16"
                ],
                "class": "Firewall_Address_List"
            },
            "natSourcePortList": {
                "class": "Firewall_Port_List",
                "ports": [
                    "1-65535"
                ]
            },
            "natSourceTranslation": {
                "addresses": [
                    "192.0.2.0/25"
                ],
                "class": "NAT_Source_Translation",
                "clientConnectionLimit": 0,
                "hairpinModeEnabled": false,
                "inboundMode": "explicit",
                "mapping": {
                    "mode": "address-pooling-paired",
                    "timeout": 300
                },
                "patMode": "pba",
                "portBlockAllocation": {
                    "blockIdleTimeout": 3600,
                    "blockLifetime": 0,
                    "blockSize": 64,
                    "clientBlockLimit": 1,
                    "zombieTimeout": 0
                },
                "ports": [
                    "1-65535"
                ],
                "routeAdvertisement": false,
                "type": "dynamic-pat"
            }
        }
    }
}

Back to top