Create Shared Firewall Objects
F5 Advanced Firewall Manager (AFM) configurations are built-up using a series of smaller object containers.
For example, a firewall policy may contain one or more rule lists, which contain firewall rules in an ordered list; a rule in a rule list may contain one or more address lists, which contain lists of addresses or networks, and/or one or more port lists, which contain lists of ports. Building firewall policies through a series of smaller building blocks, allows for object re-use across all firewall objects, and when managed through BIG-IQ allows for simple re-use of firewall objects across an entire fleet for F5 AFM instances. In this excercise, we will create a few shared objects to be used in subsequent exercises for building a firewall policy.
Note
All steps in this lab will be completed using the persona Larry.
Create Address Lists:
- Connect to your BIG-IQ (as Larry)and go to : Configuration > Security > Network Security > Address Lists
- Click Create to create a new address list
- Edit the Name field, using the name
deployed_app_destinations
- Click the Addresses button on left side of screen
- Click the Type field to review the available options, then select Address
- Add the address 10.1.10.136, and use site36 in the description
- Click Update, then click Save & Close from bottom right
Create another address list identifying some known bad sources to block (small subset for Spamhaus EDROP):
Repeat steps 1-3 from above, this time using name deployed_app_bad_sources
Click the Addresses button on left side of screen
Add the following to the address list
- 5.188.11.0/24; description = Spamhaus EDROP member
- 5.188.216.0/24; description = Spamhaus EDROP member
- 14.118.252.0/22; description = Spamhaus EDROP member
- Geolocation = Russian Federation; description = block those Russians
Note
Above sources are just being used for purpose of example. Spamhaus EDROP list contains many more entries, and Russians aren’t that bad!
Click Save & Close
Create a Port List:
- Under Configuration > Security > Network Security >, click Port List
- Click Create to create a new port list
- Edit the Name field, using the name
deployed_app_ports
- Click the Ports button on left side of the screen
- Click the Type field too review the available options, the select Port
- In the Ports field type
80
, the click the + symbol, and add port 443
- Click Update, then click Save & Close from the bottom right
Create Firewall Rules using Shared Firewall Objects
Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.
Rule lists are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.
Create Firewall Rule:
- Under Configuration > Security > Network Security > Rule Lists
- Click Create to create a new rule list
- Edit the Name field, using the name
deployed_app_filters
- Click the Rules button left side of the screen
- Click Create Rule
- Click the pencil next to the new rule and edit as follows:
- Name = bad_app_sources
- Source Address = Address List = deployed_app_bad_sources
- Action = drop
- Log = Check box to enable logging
- Leave all other fields as any.
- Click Update next to new rule.
- Click Create Rule
- Click the pencil next to the new rule and edit as follows:
- Name = deployed_app_dests
- Destination Address = Address List = deployed_app_destinations
- Destination Ports = deployed_app_ports
- Protocol = TCP
- Action = Accept
- Leave all other fields as any
- Click Save & Close
Manipulating Rules in Rules Lists:
In this section, we will experiment with the various methods of re-ordering, editing, copying, and remove rules and rule contents
From the Rule List screen, click on the deployed_app_filters
rule list we just created, and experiment with options for manipulating the rules in the rules list:
- Drag the deployed_app_dests
rule and drop it above the deployed_app_bad_sources
rule
- Right click the deployed_app_dests
rule and examine the available options. Select Cut Rule, then select the bad_app_sources
rule, right click and select Paste After
- Right click the deployed_app_bad_sources
and select Copy Rule
Click Cancel, the click Create from Rule List screen
Click Rules, then Create Rule
Right click newly created rule, and select Paste Before. The rule we copied from the deployed_app_filters
has now been inserted in our new rule list.
Note
You can use Copy Rule and then Paste Rule between rule lists. However, if you use the Cut Rule option and then paste betweeen rule lists, the cut rule will not be removed from the rule list.
Click the pencil next the rule you just inserted to edit the rule. Click the “x” next to the deployed_app_destinations
and deployed_app_ports
lists to clear these fields from the rule.
Note
When editing a rule not all fields can be cleared, but you can remove the contents of the following fields:
- Address (source or destination)
- Port (source or destination)
- VLAN
- iRule
- Description
Right click the rule initially created when you clicked Create Rule, and select Delete Rule
Click Cancel to exit rule list editor
Managing Rule Lists:
In this section, we will work with various options for managing rule lists
- From the Rule List screen, select the
deployed_app_filters
rule list, and click the Clone button
- Cloned rules provide a simple mechanism for copying an entire rule list, and making simple edits for new requirements.
- Edit the Properties and Rules sections to meet new requirements. For this lab, just go ahead and give the cloned rule a new name. If you select a different partition in the cloned rule list, that partition must already exist on the BIG-IPs that the configuration will be deployed on.
- Click Save & Close to save the newly cloned rule. The cloned rule list is added to alphabetically under Rule Lists. In a high availability configuration, the cloned rule list is replicated to the standby system as soon as it is cloned.
- Click the cloned rule list. In the bottom on the screen, view the elements of the rule list in the left hand pane. In the right hand pane, click the Related Items button. This will show you the objects related to the rule list, and the application components that are using the rule list.
- Click the Delete button. In this case, our cloned rule list isn’t being used, so it is safe to delete. If, however, the rule list was in use BIQ would present a dialog box informing you that you cannot remove the rule list because it is in use.
Create Firewall Policy, Publish, and Assign to Context
Ultimately, the rule lists we worked with in the previous section are associated with a firewall policy for deployment. Firewall policies, can be attached in multiple contexts (Global, Route Domain, Virtual Server, Self IP, and Management IP). In this lab, we will explore using BIG-IQ to create a firewall policy, and look at options for attaching the policy in various contexts. Finally, we will publish our firewall policy, and assign it to an application template.
Creating Firewall Policies:
- Under Configuration > Security > Network Security, click Firewall Policies
- Click Create to create a new firewall policy
- Give the policy the name
f5-afm-policy_136
, and click Rules button
- Click Add Rule List button, and select the
deployed_app_filters
rule list created previously, and click Add.
- The
deployed_app_filters
rule list will be added to the firewall policy, named as Reference_To_deployed_app_filters
. From here, you can click the carrot beneath the rule ID and see the details of the rules that are part of the associated rule lists.
- At the bottom on the Policy Editor screen, look at the Shared Objects view. Click the drop down to see what Shared Objects can be added to a firewall policy.
- Select Rule Lists form the Shared Objects drop down. Drag the
deployed_app_filters
rule list into the policy.
- Rule Lists can be added using Add Rule List button, or just pulled in using the Shared Object repository.
- Right click the duplicate reference to the
deployed_app_filters
rule list we just added.
- Examine the options for manipulating the ordering or rules or rule lists inside a firewall policy.
- Select Delete to remove our duplicate reference.
- Click the Create Rule button to add a new rule to the firewall policy
- Firewall policies contain and ordered list of rules and rules lists. Using rule lists is a good method for organizing larger sets of rules, but not a requirement for building a firewall policy.
- Click the pencil next to the new rule to edit the rule.
- From the Shared Objects pane at the bottom on the Policy Editor screen, select Address Lists from the drop down.
- Drag the address list
deployed_app_bad_sources
into the source address field in the rule we are editing.
- Address and Port lists can be dragged into rules inside firewall policy editor in the same way they can in rule list editor.
- Click Update
- Right click the rule you just added and select Delete
- Click Save and Close to create the new firewall policy.
Associating Firewall Policies with Contexts:
As mentioned, firewall policies can be attached to various contexts within a BIG-IP system. Namely, policies can be attached at the Global, Route Domain, Virtual Server, Self-IP, and Management contexts. In these exercises, we will explore using BIG-IQ to make these associations:
- Under Configuration > Security > Network Security, click Contexts
- In the search bar in the upper right corner, search for global.
- Click the global context for the device
SEA-vBIGIP01.termmarc.com
- Examine the Properties page. A firewall policy can be attached as an Enforced Firewall Policy or a Staged Firewall Policy
- From the Shared Objects section on bottom of screen, select Firewall Policies
- Drag the
f5-afm-policy_136
policy into the row for Enforced Firewall Policy
- Shared objects (Firewall Policies, Service Policies, NAT Policies) can be dragged and dropped into the context.
- Click Cancel
- Clear the filter for Global. If interested, you can repeat the above steps for Self-IP, Route Domain, and/or VIP.
Note
To this point in the lab, we have not actually deployed any configuration to BIG-IP’s. All of our configuration has been created exclusively on BIG-IQ. You can create a deployment now to push the objects that we have created, but we will do this as part of an application template update in a subsequent step.