Network Security¶
This section contains declarations that use F5’s network security and firewall features.
Use the index on the right to locate specific examples.
Note
As of BIG-IP AS3 3.10.0, if the Firewall_Address_List contains zero addresses, a dummy IPv6 address of ::1:5ee:bad:c0de is added in order to maintain a valid Firewall_Address_List. If an address is added to the list, the dummy address is removed.
Important
Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Using Firewall Rules, Policies, and logging¶
This example shows how you can use the BIG-IP Advanced Firewall Manager (AFM) module in a declaration. BIG-IP AFM defends against threats to network layers 3-4, stopping them before they reach your data center.
Important
To use these features, you must have BIG-IP AFM licensed and provisioned on your BIG-IP system.
In this example, we create firewall rules which are used in our firewall policy. We also create a security logging profile to define the events we want to log.
The AFM features we use in this declaration are well-documented in the AFM documentation and Logging documentation. See these manuals for more information on these features. Also see the Schema Reference for usage options for your BIG-IP AS3 declarations.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_net_sec_01.
- A virtual server named service.
- A pool named ex_pool monitored by the default gateway_icmp health monitor.
- A firewall rule list named fwRuleList, which references lists of allowed ports (fwAllowedPortList) and addresses (fwAllowedAddressList).
- A firewall policy named fwPolicy which references the firewall rule lists.
- A log publisher (fwLogPublisher), high speed logging destination (fwLowDestinationHsl) and pool (hs_pool), and syslog destination (fwLogDestinationSyslog).
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "firewall",
"label": "Sample Network Security 1",
"remark": "Firewall policy, rule, and logging example",
"controls": {
"trace": true
},
"Sample_net_sec_01": {
"class": "Tenant",
"fwFastL4": {
"class": "Application",
"fwAllowedAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"10.0.0.0/8",
"172.20.0.0/16",
"192.168.0.0/16"
]
},
"fwLogDestinationSyslog": {
"class": "Log_Destination",
"type": "remote-syslog",
"remoteHighSpeedLog": {
"use": "fwLogDestinationHsl"
},
"format": "rfc5424"
},
"fwLogDestinationHsl": {
"class": "Log_Destination",
"type": "remote-high-speed-log",
"protocol": "tcp",
"pool": {
"use": "hsl_pool"
}
},
"fwRuleList": {
"class": "Firewall_Rule_List",
"rules": [
{
"protocol": "tcp",
"name": "tcpAllow",
"loggingEnabled": true,
"destination": {
"portLists": [
{
"use": "fwAllowedPortList"
}
]
},
"source": {
"addressLists": [
{
"use": "fwAllowedAddressList"
}
]
},
"action": "accept"
},
{
"action": "accept",
"loggingEnabled": true,
"protocol": "udp",
"name": "udpAllow",
"source": {
"addressLists": [
{
"use": "fwAllowedAddressList"
}
]
}
},
{
"action": "drop",
"loggingEnabled": true,
"protocol": "any",
"name": "defaultDeny",
"source": {
"addressLists": [
{
"use": "fwDefaultDenyAddressList"
}
]
}
}
]
},
"hsl_pool": {
"class": "Pool",
"members": [
{
"serverAddresses": [
"192.168.120.6"
],
"enable": true,
"servicePort": 514
}
],
"monitors": [
{
"bigip": "/Common/tcp"
}
]
},
"fwAllowedPortList": {
"class": "Firewall_Port_List",
"ports": [
22,
53,
80,
443,
"8080-8081"
]
},
"fwSecurityLogProfile": {
"class": "Security_Log_Profile",
"network": {
"publisher": {
"use": "fwLogPublisher"
},
"storageFormat": {
"fields": [
"action",
"dest-ip",
"dest-port",
"src-ip",
"src-port"
]
},
"logTranslationFields": true,
"logTcpEvents": true,
"logRuleMatchRejects": true,
"logTcpErrors": true,
"logIpErrors": true,
"logRuleMatchDrops": true,
"logRuleMatchAccepts": true
}
},
"fwDefaultDenyAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"0.0.0.0/0"
]
},
"fwPolicy": {
"rules": [
{
"use": "fwRuleList"
}
],
"class": "Firewall_Policy"
},
"ex_L4_Profile": {
"class": "L4_Profile"
},
"ex_pool": {
"class": "Pool",
"members": [
{
"serverAddresses": [
"192.168.31.3"
],
"enable": true,
"servicePort": 0
}
],
"monitors": [
{
"bigip": "/Common/gateway_icmp"
}
]
},
"service": {
"translateServerAddress": false,
"securityLogProfiles": [
{
"use": "fwSecurityLogProfile"
}
],
"virtualAddresses": [
"0.0.0.0"
],
"policyFirewallEnforced": {
"use": "fwPolicy"
},
"translateServerPort": false,
"profileL4": {
"use": "ex_L4_Profile"
},
"virtualPort": 0,
"snat": "none",
"class": "Service_L4",
"pool": "ex_pool"
},
"fwLogPublisher": {
"class": "Log_Publisher",
"destinations": [
{
"use": "fwLogDestinationSyslog"
}
]
}
}
}
}
}
Using Firewall (Carrier Grade) NAT features in a declaration¶
This example shows how you can use some Carrier Grade NAT (CGNAT) features (NAT Policy, NAT Source Translation, Firewall lists) in a BIG-IP AS3 declaration. For more information on CGNAT, see Carrier Grade Nat on f5.com. Also see the Schema Reference for usage options for using these features in your BIG-IP AS3 declarations.
New in BIG-IP AS3 3.20
In BIG-IP AS3 3.20 and later, you have the ability to add addresses to exclude for NAT source translation. This allows you to specify a set of addresses excluded from the translation IP addresses available in the pool. The example below has been updated with the new lines highlighted in yellow.
Important: Because of this addition, the example declaration will fail in versions prior to 3.20.
For more information on usage, see NAT_Source_Translation in the schema reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Sample_net_sec_02.
- A Fast L4 virtual server named service.
- A NAT Policy (the ability to reference a security logging profile from a NAT rule was added in BIG-IP AS3 3.15, see NAT_Rule in the Schema Reference).
- A NAT Source Address Translation object (with excludeAddress added in BIG-IP AS3 3.20).
- Port and destination address lists (Firewall Address lists).
{
"class": "ADC",
"id": "cgnat",
"label": "Sample Network Security 2",
"remark": "08",
"schemaVersion": "3.0.0",
"Sample_net_sec_02": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_L4",
"layer4": "any",
"policyNAT": {
"use": "natPolicy"
},
"snat": "none",
"translateServerAddress": false,
"translateServerPort": false,
"virtualAddresses": [
"0.0.0.0"
],
"virtualPort": 0
},
"natDestinationAddressList": {
"addresses": [
"0.0.0.0/0"
],
"class": "Firewall_Address_List"
},
"natDestinationPortList": {
"class": "Firewall_Port_List",
"ports": [
"1-65535"
]
},
"natPolicy": {
"class": "NAT_Policy",
"rules": [
{
"destination": {
"addressLists": [
{
"use": "natDestinationAddressList"
}
],
"portLists": [
{
"use": "natDestinationPortList"
}
]
},
"name": "rule1",
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "natSourceAddressList"
}
],
"portLists": [
{
"use": "natSourcePortList"
}
]
},
"sourceTranslation": {
"use": "natSourceTranslation"
},
"securityLogProfile": {
"use": "secLogProfile"
}
}
]
},
"natSourceAddressList": {
"addresses": [
"192.168.0.0/16"
],
"class": "Firewall_Address_List"
},
"natSourcePortList": {
"class": "Firewall_Port_List",
"ports": [
"1-65535"
]
},
"natSourceExcludeAddressList": {
"class": "Firewall_Address_List",
"addresses": [
"192.0.2.50"
]
},
"natSourceTranslation": {
"addresses": [
"192.0.2.0/25"
],
"class": "NAT_Source_Translation",
"clientConnectionLimit": 0,
"hairpinModeEnabled": false,
"inboundMode": "explicit",
"mapping": {
"mode": "address-pooling-paired",
"timeout": 300
},
"patMode": "pba",
"portBlockAllocation": {
"blockIdleTimeout": 3600,
"blockLifetime": 0,
"blockSize": 64,
"clientBlockLimit": 1,
"zombieTimeout": 0
},
"ports": [
"1-65535"
],
"routeAdvertisement": false,
"type": "dynamic-pat",
"excludeAddresses": [
"192.0.2.10",
"192.0.2.20-192.0.2.30",
{"use": "natSourceExcludeAddressList"}
]
},
"secLogProfile": {
"class": "Security_Log_Profile",
"application": {
"storageFilter": {
"logicalOperation": "and",
"requestType": "all",
"responseCodes": [
"100",
"200",
"300",
"400"
],
"protocols": [
"https",
"ws"
],
"httpMethods": [
"ACL",
"GET",
"POLL",
"POST"
],
"requestContains": {
"searchIn": "search-in-headers",
"value": "The header string to search for"
},
"loginResults": [
"login-result-successful",
"login-result-failed"
]
},
"guaranteeLoggingEnabled": true,
"guaranteeResponseLoggingEnabled": true,
"maxHeaderSize": 200,
"maxQuerySize": 1040,
"maxRequestSize": 900,
"responseLogging": "all"
}
}
}
}
}
Securing SSH traffic with the SSH Proxy¶
This example shows how you can use the Advanced Firewall Manager (AFM) SSH Proxy profile in a BIG-IP AS3 declaration. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications. For more information on the SSH Proxy, see SSH Proxy in the AFM documentation, and SSH_Proxy_Profile in the Schema Reference for all BIG-IP AS3 usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named SSH_Proxy_Profile.
- An SSH Proxy profile named sshProxyExample with actions, rules, and authentication information.
{
"class": "ADC",
"schemaVersion": "3.10.0",
"id": "SSH_Proxy_Profile",
"Tenant": {
"class": "Tenant",
"Application": {
"class": "Application",
"sshProxyExample": {
"class": "SSH_Proxy_Profile",
"sshProfileDefaultActions": {
"name": "action",
"agentAction": {
"control": "terminate",
"log": true
},
"localForwardAction": {
"control": "disallow",
"log": false
},
"otherAction": {
"control": "terminate",
"log": true
},
"remoteForwardAction": {
"control": "terminate",
"log": true
},
"rexecAction": {
"control": "terminate",
"log": true
},
"scpUpAction": {
"control": "disallow",
"log": true
},
"scpDownAction": {
"control": "terminate",
"log": true
},
"sftpUpAction": {
"control": "disallow",
"log": true
},
"sftpDownAction": {
"control": "terminate",
"log": true
},
"shellAction": {
"control": "disallow",
"log": true
},
"subSystemAction": {
"control": "terminate",
"log": true
},
"x11ForwardAction": {
"control": "terminate",
"log": true
}
},
"sshProfileRuleSet": [
{
"name": "rule1",
"remark": "rule1 remark",
"sshProfileIdUsers": [
"Good Boy",
"Test"
],
"sshProfileIdGroups": [
"Group Test",
"TestG"
],
"sshProfileRuleActions": {
"name": "rulesAction",
"agentAction": {
"control": "terminate",
"log": true
},
"localForwardAction": {
"control": "terminate",
"log": true
},
"otherAction": {
"control": "terminate",
"log": true
},
"remoteForwardAction": {
"control": "terminate",
"log": true
},
"rexecAction": {
"control": "terminate",
"log": true
},
"scpUpAction": {
"control": "disallow",
"log": true
},
"scpDownAction": {
"control": "terminate",
"log": true
},
"sftpUpAction": {
"control": "disallow",
"log": true
},
"sftpDownAction": {
"control": "terminate",
"log": true
},
"shellAction": {
"control": "terminate",
"log": true
},
"subSystemAction": {
"control": "terminate",
"log": true
},
"x11ForwardAction": {
"control": "terminate",
"log": true
}
}
}
],
"timeout": 23,
"sshProfileAuthInfo": [
{
"name": "authInfo1",
"proxyServerAuth": {
"privateKey": {
"ciphertext": "VGhpcyBpcyBhIFNFUlZFUiBwcml2YXRlIGtleQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"publicKey": "This is a SERVER public key"
},
"proxyClientAuth": {
"privateKey": {
"ciphertext": "VGhpcyBpcyBhIENMSUVOVCBwcml2YXRlIGtleQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true
},
"publicKey": "This is a CLIENT public key"
},
"realServerAuth": {
"publicKey": "This is a REAL SERVER public key"
}
}
]
}
}
}
}
Using reject and accept-decisively actions and VLAN source in a firewall rule¶
This example shows how you can use the reject and accept-decisively actions in a Firewall Rule. See the BIG-IP AFM: Network Firewall Policies and Implementations for detailed information on these actions.
- reject
- With this action, packets that match the rule are rejected. Using reject is a more graceful way to deny packets as it sends a destination unreachable message to the source system.
- accept-decisively
- With this action, packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. See the AFM documentation for detailed information.
New in BIG-IP AS3 3.15.0
Starting with BIG-IP AS3 3.15.0, you can use BIG-IP VLANs as sources for firewall Rules. See the highlighted lines in the following declaration. See Firewall_Rule_Source in the schema reference for usage.
See Firewall_Rule in the Schema Reference for all BIG-IP AS3 usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_Firewall_Rule_List.
- A Firewall Rule list named exampleFWRuleList with two rules, one with an action of reject and one of accept-decisively.
- The second firewall rule has been updated to use the external VLAN on the BIG-IP as the source.
{
"class": "ADC",
"schemaVersion": "3.13.0",
"id": "Firewall_Rule_List",
"Example_Firewall_Rule_List": {
"class": "Tenant",
"Application": {
"class": "Application",
"exampleFWRuleList": {
"class": "Firewall_Rule_List",
"remark": "description",
"rules": [
{
"remark": "description",
"name": "theRule1",
"action": "accept-decisively",
"protocol": "tcp",
"loggingEnabled": true
},
{
"remark": "description",
"name": "theRule2",
"action": "reject",
"protocol": "tcp",
"loggingEnabled": true,
"source": {
"vlans": [
{
"bigip": "/Common/external"
}
]
}
}
]
}
}
}
}
Creating Protocol Inspection profiles¶
Important
Because the Protocol Inspection profile was designed around an experience that is better suited to using the BIG-IP web-based Configuration utility, we strongly recommend you configure, modify, or change Protocol Inspection profiles using the BIG-IP Configuration utility, and reference the profile in the AS3 declaration. Future releases of BIG-IP AS3 will not include any improvements to Protocol Inspection profiles.
The following example has been updated with an example of referencing a Protocol Inspection profile on the BIG-IP.
This example shows how you can create BIG-IP AFM Protocol Inspection profiles in a BIG-IP AS3 declaration. A protocol inspection profile collects rules for protocol inspection using pre-installed signatures defined by the Snort project, or custom signatures defined using the Snort syntax.
For detailed information, see AFM documentation, as well as Configuring protocol inspection profiles on AskF5. For BIG-IP AS3 usage options, see Protocol_Inspection_Profile in the Schema Reference.
BIG-IP AS3 3.20 added the value property for Protocol Inspection compliance checks. If a check accepts enumerable values, the values should be delimited by spaces. The following example has been updated to show the value property.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_PIP.
- A UDP virtual service named service which references the Protocol Inspection profile.
- A Protocol Inspection profile named DNSInspectionProfile which is specific to DNS in this example.
- Example was updated in BIG-IP AS3 3.20 to include the value property in the compliance check. If you are using a BIG-IP AS3 version prior to 3.20, this declaration will fail.
{
"class": "AS3",
"declaration": {
"class": "ADC",
"schemaVersion": "3.20.0",
"Example_PIP": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_UDP",
"virtualPort": 53,
"virtualAddresses": [
"192.0.2.1"
],
"profileProtocolInspection": {
"use": "DNSInspectionProfile"
}
},
"DNSInspectionProfile": {
"class": "Protocol_Inspection_Profile",
"remark": "Custom DNS Inspection Profile",
"collectAVRStats": true,
"enableComplianceChecks": true,
"enableSignatureChecks": true,
"autoAddNewInspections": true,
"autoPublish": true,
"services": [
{
"type": "dns",
"compliance": [
{
"check": "dns_maximum_reply_length",
"value": "1024"
},
{
"check": "dns_disallowed_query_type",
"action": "accept",
"log": true,
"value": "STATUS QUERY"
}
],
"signature": [
{
"check": "dns_dns_query_amplification_attempt",
"action": "reject",
"log": true
}
]
}
]
},
"service2": {
"class": "Service_UDP",
"virtualPort": 53,
"virtualAddresses": [
"192.0.2.2"
],
"profileProtocolInspection": {
"bigip": "/Common/protocol_inspection_dns"
}
}
}
}
}
}
Setting Maximum Bandwidth on a virtual with AFM¶
This example shows how you can set the maximum bandwidth on a virtual server when you are using BIG-IP AFM. This allows you to set the maximum bandwidth allowed through the virtual service, in Mbps. For more information, see the BIG-IP documentation.
For BIG-IP AS3 usage options, see Service_Generic or another Service object in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named AFM_Tenant.
- A virtual server named AFMvip with maximum bandwidth set to 10Mbps.
{
"class": "ADC",
"schemaVersion": "3.19.0",
"AFM_Tenant": {
"class": "Tenant",
"Sample_App": {
"class": "Application",
"AFMvip": {
"class": "Service_Generic",
"virtualPort": 8080,
"virtualAddresses": [
"192.0.2.0"
],
"maximumBandwidth": 10
}
}
}
}
Creating an Idle Timeout policy in a declaration¶
This example shows how you can create Idle Timeout policy in a BIG-IP AS3 declaration. The Idle Timeout policy (which is attached to the virtual service as part of a Service policy) allows you to associate timeouts with specific protocols and ports. You can also reference an existing policy on the BIG-IP using the bigip pointer.
See Idle_Timeout_Policy in the schema reference for BIG-IP AS3 usage. For more information, see Service Policies in the BIG-IP documentation.
Note
BIG-IP AS3 does not support the Port Misuse policy in a Service Policy at this time.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named timeoutTenant.
- A virtual server named timeoutGeneric that references the idle timeout policy.
- A Service policy object (which BIG-IP AS3 creates automatically to hold the timeout policy; it is not part of the declaration) that contains the Idle Timeout policy named my_idle_timeout_policy that contains a number of rules.
{
"class": "ADC",
"schemaVersion": "3.19.0",
"id": "Idle_Timeout_Policy",
"timeoutTenant": {
"class": "Tenant",
"timeoutApp": {
"class": "Application",
"timeoutGeneric": {
"class": "Service_Generic",
"virtualPort": 8080,
"virtualAddresses": [
"192.0.2.141"
],
"policyIdleTimeout": {
"use": "my_idle_timeout_policy"
}
},
"my_idle_timeout_policy": {
"class": "Idle_Timeout_Policy",
"remark": "my policy remark",
"rules": [
{
"name": "rule1",
"remark": "tcp all ports",
"protocol": "tcp",
"destinationPorts": [
"all-other"
],
"idleTimeout": 120
},
{
"name": "rule2",
"remark": "udp port 9090",
"protocol": "udp",
"destinationPorts": [
9090
],
"idleTimeout": 300
},
{
"name": "rule3",
"remark": "all other protocols",
"protocol": "all-other",
"idleTimeout": 40
},
{
"name": "rule4",
"remark": "non port 9090 udp",
"protocol": "udp",
"destinationPorts": [
"all-other"
],
"idleTimeout": 60
}
]
}
}
}
}
Adding logging for protocol inspection events¶
This example shows how you can configure logging for protocol inspection events in a declaration. Logging is performed using a Log Publisher called from a Security Log profile. For detailed information on logging security events, see BIG-IP documentation.
For BIG-IP AS3 usage, see Log_Publisher and Security_Log_Profile in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Security_Log_Protocol_Inspection.
- A Security Log Profile named secLogProtocolInspection calls the log publisher.
- A Log Publisher named logPub references a destination on the BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.20.0",
"id": "Security_Log_Profile",
"Security_Log_Protocol_Inspection": {
"class": "Tenant",
"Application": {
"class": "Application",
"secLogProtocolInspection": {
"class": "Security_Log_Profile",
"protocolInspection": {
"publisher": {
"use": "logPub"
},
"logPacketPayloadEnabled": false
}
},
"logPub": {
"class": "Log_Publisher",
"destinations": [
{
"bigip": "/Common/local-db"
}
]
}
}
}
}
Adding ports to a protocol inspection profile¶
This example shows how you can configure the ports property (introduced in BIG-IP AS3 3.23) in a protocol inspection profile. In prior versions of AS3, the ports property was not available.
For BIG-IP AS3 usage, see Protocol_Inspection_Profile_Services and Protocol_Inspection_Profile in the Schema Reference.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named Example_PIP.
- A virtual server named service that references the protocol inspection profile.
- A protocol inspection profile, which includes the ports property.
{
"class": "AS3",
"declaration": {
"class": "ADC",
"schemaVersion": "3.23.0",
"Example_PIP": {
"class": "Tenant",
"A1": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.1"
],
"profileProtocolInspection": {
"use": "InspectionProfile"
}
},
"InspectionProfile": {
"class": "Protocol_Inspection_Profile",
"collectAVRStats": true,
"enableComplianceChecks": true,
"enableSignatureChecks": true,
"services": [
{
"type": "http",
"compliance": [
{
"check": "http_contains_colon"
}
],
"signature": [
{
"check": "http_app_detect_absolute_software_computrace_outbound_connection_bh_namequery_com"
}
],
"ports": [80, 8080]
}
]
}
}
}
}
}
Configuring a Security Logging Profile with Bot defense¶
This example shows how you can use bot defense options in a Security Logging profile in BIG-IP 14.1 and later. This example does not create the bot defense configuration, but configures logging for it. Logging is performed using a Log Publisher, which is called from the Security Log profile as shown in the example.
For more information on F5 bot defense, which can prevent layer 7 DoS attacks, web scraping, and brute force attacks from starting, see the Configuring Bot Defense chapter of the ASM Implementations guide.
We strongly recommend you visit Security_Log_Profile_Bot_Defense in the Schema Reference for specific information on the bot defense properties, including minimum BIG-IP versions for some properties. Also see Security_Log_Profile in the Schema Reference.
For detailed information on logging security events, see BIG-IP documentation. See K11412315: Configuring Bot Defense logging for information on manual configuration.
This declaration creates the following objects on the BIG-IP (note the example does not create a virtual service):
- A partition (tenant) named AS3_Tenant.
- An Application named AS3_Application
- A Security Log Profile named exampleBotDefense which includes bot defense.
- Bot defense which includes a log publisher and a number of bot defense properties.
{
"class": "ADC",
"schemaVersion": "3.26.0",
"AS3_Tenant": {
"class": "Tenant",
"AS3_Application": {
"class": "Application",
"exampleBotDefense": {
"class": "Security_Log_Profile",
"botDefense": {
"localPublisher": {
"bigip": "/Common/local-db-publisher"
},
"logAlarm": true,
"logBlock": true,
"logBrowser": true,
"logBrowserVerificationAction": true,
"logCaptcha": true,
"logDeviceIdCollectionRequest": true,
"logMaliciousBot": true,
"logMobileApplication": true,
"logNone": true,
"logRateLimit": true,
"logSuspiciousBrowser": true,
"logTcpReset": true,
"logTrustedBot": true,
"logUnknown": true,
"logUntrustedBot": true,
"logHoneyPotPage": true,
"logRedirectToPool": true,
"logChallengeFailureRequest": true
}
}
}
}
}
Referencing an IP Intelligence policy in a declaration¶
This example shows how you can reference existing IP Intelligence policies in a BIG-IP AS3 declaration. IP Intelligence policies validate traffic against an IP intelligence database, allowing you to perform a number of actions based on the policy. For detailed information on IP Intelligence policies and how to create them, see IP Intelligence chapter in the BIG-IP AFM documentation.
This declaration does not create an IP Intelligence policy, it allows you to reference an existing policy in a declaration.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named tenant.
- An Application named application
- A virtual server named service that references an existing IP Intelligence policy on the BIG-IP
{
"class": "ADC",
"schemaVersion": "3.35.0",
"tenant": {
"class": "Tenant",
"application": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": ["1.2.3.4"],
"ipIntelligencePolicy": {
"bigip": "/Common/ip-intelligence"
}
}
}
}
}
Using a network address list in a declaration¶
This example shows how you can use an address list in a declaration when using BIG-IP v14.0 or later. When you use the Net_Address_List class, you can specify IP addresses or address ranges, and/or use a pointer (or BIG-IP pathname) to a list of address lists.
This provides a way to specify IP addresses for a DoS profile (for example) without having to use a Firewall_Address_List which requires that you have BIG-IP AFM licensed and provisioned.
Important
Network address lists and firewall address lists are duplicates of each other (TMOS creates or updates both when either is updated or created). Network address lists are only available in BIG-IP 14.0+, and firewall address lists are only available when AFM is provisioned (or has been provisioned before). However, Firewall_Address_List has additional properties that Net_Address_List does not.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named TEST_DOS_Profile
- An Application named Application
- A DoS Profile named exampleDosProfile with a pointer to an allow list
- An Network Address list named netAddressList with both an IP address, and a pointer to the next Address list
- Another Network address list named otherNetAddressList with one IP address.
{
"class": "ADC",
"updateMode": "selective",
"schemaVersion": "3.37.0",
"id": "declarationId",
"label": "theDeclaration",
"remark": "Net Address List declaration",
"TEST_DOS_Profile": {
"class": "Tenant",
"Application": {
"class": "Application",
"exampleDosProfile": {
"class": "DOS_Profile",
"remark": "description",
"allowlist": {
"use": "netAddressList"
}
},
"netAddressList": {
"class": "Net_Address_List",
"addresses": [
"192.0.2.0"
],
"addressLists": [
{
"use": "otherNetAddressList"
}
]
},
"otherNetAddressList": {
"class": "Net_Address_List",
"addresses": [
"198.51.100.0"
]
}
}
}
}
Creating an ALG log profile in a declaration¶
This example shows how you can create an ALG (Application Layer Gateway) logging profile in an AS3 declaration in version 3.43 and later.
An ALG log profile allows fine grain control of the logging for ALG events. When attached to a supported ALG profile (NAT, FTP, RTSP, SIP, and PPTP), you can control the events, to log as well as optional elements in the log entry. For more information on ALG profiles, see Using ALG profiles in the BIG-IP documentation.
For AS3 options and usage, see ALG_Log_Profile.
Note
The following example only creates the ALG logging profile, you need to configure additional objects to be able to use this profile.
This declaration creates only the following objects on the BIG-IP:
- A partition (tenant) named Tenant
- An Application named Application
- An ALG log profile named myProfile with a number of properties.
{
"class": "ADC",
"schemaVersion": "3.43.0",
"id": "ALG_Log_Profile",
"Tenant": {
"class": "Tenant",
"Application": {
"class": "Application",
"myProfile": {
"class": "ALG_Log_Profile",
"remark": "My Remark",
"csvFormat": true,
"startControlChannel": {
"action": "enabled",
"includeDestination": false
},
"endControlChannel": {
"action": "disabled",
"includeDestination": true
},
"startDataChannel": {
"action": "backup-allocation-only",
"includeDestination": false
},
"endDataChannel": {
"action": "enabled",
"includeDestination": true
},
"inboundTransaction": {
"action": "enabled"
}
}
}
}
}
Apply AFM Policies on the Route Domains¶
In this example, we show how you can enforce AFM Policies on a list of Route Domain objects in a BIG-IP AS3 declaration. In the example, we only show one Route Domain, but you can add as many Route Domains as you wish to the list.
Note
AS3 does not create Route Domains, hence only bigip pointer which references an existing object on the BIG-IP can be used. So, Route Domains should already be available.
See Firewall_Policy in Appendix A: Schema Reference for BIG-IP AS3.
{
"class": "ADC",
"schemaVersion": "3.49.0",
"id": "declaration",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"firewallPolicy": {
"class": "Firewall_Policy",
"routeDomainEnforcement": [
{
"bigip": "/Common/100"
}
],
"rules": [
{
"use": "fwRuleList"
}
]
},
"fwRuleList": {
"class": "Firewall_Rule_List",
"rules": [
{
"remark": "description",
"name": "rule1",
"action": "accept-decisively",
"protocol": "tcp",
"loggingEnabled": true
},
{
"remark": "description",
"name": "rule2",
"action": "reject",
"protocol": "tcp",
"loggingEnabled": true,
"source": {
"vlans": [
{
"bigip": "/Common/external"
}
]
}
}
]
}
}
},
"tenant": {
"class": "Tenant",
"app": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.0"
],
"virtualPort": 443,
"policyFirewallEnforced": {
"use": "/Common/Shared/firewallPolicy"
}
}
}
}
}