Lab 2.2: Using BIG-IQ Multi-Device Packet and Flow Tracers to test AFM policy

Note

Estimated time to complete: 20 minutes

In this lab, we will use the BIG-IQ Multi-Device Packet tracer and flow analyzers to test firewall policy.

Lab environment access

If you have not yet visited the page Getting Started, please do so.

Create and Run a Multi-Device Packet Test On BIG-IQ

All AFM devices have the ability to test packets through the collection of AFM firewall, dos, and IP intelligence policies to test and troubleshoot a given packet against enforced/staged policies. BIG-IQ extends this functionality, allowing a security administrator to test a given packet against multiple AFM devices simultaneously. In this exercise., we will configure a packet test against multiple devices.

  1. Under Monitoring > Security > Network Security, click Packet Traces

  2. Click the Create button in the Packet Traces list

  3. Edit the Packet Parameters as follows: - Name: packet_136_1 - Source IP Address: 100.100.100.1 - Source Port: 36544 - TTL: 255 - Destination Ip Address: 10.1.10.136 - Destination Port: 443 - Use Staged Policy: No - Trigger Log: No

  4. In Devices section, click Add, the move all available devices to the Selected box.

  5. Set Source VLAN to external and leave the “Apply these VLANS to all Devices” box checked

  6. Click Run Trace button in the bottom right corner of page.

  7. Examine results for each of the devices.

  8. Click Group By drop down and select Virtual Server Rules, then Result as shown below

    ../../_images/packettester_viewbyresult.png

  9. Click the Device IP Intelligence icon for the packet test on BOS-vBIGIP01 device to see which Global IP Intelligence policy was used to evaluate the packet.

  10. Click the Virtual Server Rules icon for the packet test on BOS-vBIGIP01 device to view details on the firewall policy used to evaluate the packet.

    Note

    AFM packet tester only performs policy matching on the active unit for a given traffic group. The standby unit will show results as if no policies at any level have been matched. This is an AFM behavior, not a BIG-IQ behavior. Results in this lab will show BOS-vBIGIP02 as drops based on default rule handling.

  11. Experiment with different ways to filter the results of the multi-device packet tests

Comparing Packet Traces Across Multiple Devices

  1. Under Monitoring > Security > Network Security, click Packet Traces

  2. Click the Create button in the Packet Traces list

  3. Edit the Packet Parameters as follows: - Name: packet_136_2 - Source IP Address: 5.188.11.36 - Source Port: 36544 - TTL: 255 - Destination Ip Address: 10.1.10.136 - Destination Port: 443 - Use Staged Policy: No - Trigger Log: No

  4. Click Run Trace in the bottom right corner of page.

  5. Examine the results of the Virtual Server Rules for BOS-vBIGIP01. This packet should be dropped.

  6. In upper right hand cornet of packet test, click Compare

  7. From the Packet Trace list select packet_136_1, the click the Compare button.

    Note

    Notice the note in the Packet Parameters section calling out the fact that the packet parameters are different for selected traces. This feature can be used in a couple ways. It can be used to test the same policy against two different packets, to see how a given policy handles each condition. Alternatively, and maybe more commonly, it can be used to test the same packet against two versions of the same policy. In this case, we are testing two different packets against the same policy version.

  8. In the Filter box on the right hand side of Trace Results section, enter vBIGIP01 to filter our trace results to our active firewalls.

  9. With results filtered, you can quickly see how two different packets would be evaluated against the same firewall policy on multiple firewalls throughout the fleet.

    ../../_images/compare_packet_test.png

Use Packet Trace as Filter to Packet Flows Utility

  1. From the Ubuntu 18.04 Lamp Server open an SSH session.

  2. From the SSH session, run the following command:

    for i in {1..100}; do sudo nmap -sS 10.1.10.136 -D 100.100.100.1 -g 36544; done

  3. On BIG-IQ UI, under Monitoring > Security > Network Security, click Packet Traces

  4. Click on packet_136_1 from the packet traces list

  5. In the upper right-hand corner click the Get Flows button

  6. Enter flow_136_1 in the name box, and verify all three AFM devices are in the selected box in the Select Device section

  7. Click Get Flows

  8. BIG-IQ will now pull on flow data from all firewalls selected that match the packet trace we configured in previous steps.

    ../../_images/flow_from_trace.png

  9. In Filter box, enter BOS to filter the flow data from only the BOS firewalls.

  10. Under Monitoring > Security > Network Security, click Packet Flows

  11. You should see the flow you just created from the packet trace has now been saved to BIG-IQ as a packet flow.