Lab 2: Permitting traffic to pass to virtual servers

Create an ACL to allow web traffic and SSH

The rules created in this section allow basic connectivity to the resources. We will add enforcement rules at the virtual server level to demonstrate functionality.

On the BIG-IP, we’ll create a rule list to allow traffic. A logical container will be created before the individual rules can be added. You will create a list with rule to allow port 80 (HTTP), 443 (HTTPS), and 22 to servers 10.1.20.11 through 10.1.20.17. We will also create a rules which allows HTTP and HTTPS traffic to access 10.1.10.30.

  1. On the BIG-IP UI, navigate to Security > Network Firewall > Rule Lists.
  2. Click Create and use the following parameters to create a rule list.
    Name: web_rule_list.

image270

  1. Click Finished.

Your list of rule lists should appear similar to below.

image269

Next, we’ll add rules to the rule list we just created.

  1. Select the web_rule_list by clicking on it in the Rule Lists table.

  2. Click the Add button in the Rules section.

    image276

  3. Add a rules into the list to allow HTTP and HTTPS traffic as described in the next steps.

Name allow_http_and_https
Protocol TCP
Source Leave at Default of Any
Destination Address Pulldown Specify Address Range 10.1.20.11 to 10.1.20.17, then click Add
Destination Port Pulldown Specify… Port 80, click Add, Specify… Port 443, click Add
Action Accept
Logging Enabled

Your screen should appear as such:

screenshot
  1. Click Finished, then add another rule by clicking Add again.
Name allow_any_10_1_10_30
Order Last
Protocol TCP
Source Leave at Default of Any
Destination Address Pulldown Specify…10.1.10.30 then click Add
Destination Port Leave at Default of Any
Action Accept
Logging Enabled
screenshot
  1. Click Finished. Your rules list should appear as shown below:

image272

Assign the Rule List to a Policy

Now we will assign this rule list to a policy.

  1. Navigate to Security > Network Firewall > Policies.
  2. Click Create.
  3. For the Name enter rd_0_policy.

image273

4.Click Finished.

Note

We commonly use “RD” in our rules to help reference the “Route Domain”, default is 0.

  1. Edit the rd_0_policy by clicking on it in the Policy Lists table.
  2. Click the Add Rule List button.
  3. For the Name, start typing web_rule_list. You will notice the name will auto complete, making it easy to reference the existing object.
  4. Select the rule list /Common/web_rule_list. Ensure that enabled is selected under State.

image274

  1. Click Done Editing. You will notice the changes are unsaved and need to be committed to the system. This is a nice feature to have enabled to verify you want to commit the changes you’ve just made without a change automatically being implemented.
  2. Click Commit Changes to System to commit your changes.

Assign the rd_0_policy to Route Domain 0

  1. Navigate to Network > Route Domains.
  2. Click on the 0 to select route domain 0. A route domain is similar to selecting a default VRF on an IP router, and 0 is the default.
  3. Select the Security tab. Set Enforcement to Enable and select the rd_0_policy.

image275

  1. Finally, click Update.

Configure BIG-IP Firewall in ADC Mode

By default, the Network Firewall is configured in ADC mode, a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.

The system is configured in this mode by default so all traffic on your system continues to pass after you provision the Advanced Firewall Manager. You should create appropriate firewall rules to allow necessary traffic to pass before you switch the Advanced Firewall Manager to Firewall mode. In Firewall mode, a default deny configuration, all traffic is blocked through the firewall, and any traffic you want to allow through the firewall must be explicitly specified.

In existing deployments with a large number of VIP’s, adding AFM in Firewall mode would require significant preperation. Firewall functionality is easier to introduce in ADC mode.

  1. Navigate to Security > Options > Network Firewall > Firewall Options.
  2. Change the Virtual Server & Self IP Contexts context setting to Accept.

Your screen should appear similar to below:

image251

  1. Click Update if you changed this setting.

Validate Lab 2 Configuration

In Chrome, refresh the web sites in tabs 2-7. A web page should pull up for each tab.

Note

You may need to accept the certificate to proceed to the application sites.

Minimize all windows so that the desktop is shown. Open a terminal window by launching Cygwin from the shortcut. Use the curl utility to test connectivity.

Tip

The -k argument ignores certificate warnings.

curl -k https://10.1.10.30 -H Host:site1.com

curl -k https://10.1.10.30 -H Host:site2.com

curl -k https://10.1.10.30 -H Host:site3.com

curl -k https://10.1.10.30 -H Host:site4.com

curl -k https://10.1.10.30 -H Host:site5.com

You should see a response containing the HTML of the web page.

image264

This completes Module 1 - Lab 2. Click Next to continue.