Lab 4: Configure A Firewall Policy and Firewall Rules For Each Application

A network firewall policy is a collection of network firewall rules that can be applied to a virtual server. In our lab, we will create two policies, each of which includes two rules. This policy will then be applied to the appropriate virtual servers and tested.

Create the geo_restrict Firewall Rule List and Firewall Policy

This example provides a firewall policy to the www.site1.com portion of the application. A real world example of this would be with companies hosting cryptographic software which is subject to export restrictions. In this case we will use the Geolocation feature to block access from a couple countries only and only on the site1.com application.

  1. Navigate to Security > Network Firewall > Policies.
  2. Click Create. Enter the name site1_policy. Leave all other fields using the default values.

image256

  1. Click Finished.

Create a geo_restrict_rule_list Rule List

  1. Navigate to Security > Network Firewall > Rule Lists.
  2. Click Create. Specify the name of geo_restrict_rule_list.

image253

  1. Click Finished, then click on the geo_restrict_rule_list you just created.
  2. Click Add to add a rule to block traffic from Afghanistan, China and Canada.
Name block_AF_CN_CA
Order First
Protocol Any
Source Address/Region: AF,CN,CA
Action Drop
Logging Enabled

Note

Leave all other fields using the default values.

  1. Click Finished.

Create Permit Log Network Firewall Rule

  1. Once again, click Add.
  2. Create another firewall rule using the following values.
Name permit_log
Order Last
Action Accept
Logging Enabled

Note

Leave all other fields using the default values.

  1. Click Finished.

image252

Assign the geo_restrict_rule_list to the site1_policy

  1. Navigate to Security > Network Firewall > Policies.
  2. Click on site1_policy, then click Add Rule List.
  3. In the name field, start typing geo in the rule list field. The name will autocomplete. Select geo_restrict_rule_list when shown.
  4. Click Done Editing, then Commit Changes to System.

Validate the site is available before and after applying the Network Firewall Policy. From the second Chrome tab, try to connect again to the application site https://site1.com.

From the desktop, launch the Cywin Terminal.

curl -k https://10.1.10.30/ -H 'Host: site1.com'

image255

Assign The Policy To The Virtual Server

A unique feature of the BIG-IP Firewall Module allows L3-4 security policies to be assigned specifically to an application i.e. Virtual Server. So each application can have its own firewall policy separate from other application virtual servers.

Apply the Network Firewall Policy to Virtual Server

  1. Navigate to Local Traffic > Virtual Servers.
  2. Click int_vip_www.site1.com_1.1.1.1.
  3. Click on the Security drop-down and select Policies.
  4. Edit the Network Firewall section of the screen:
Virtual Server int_vip_www.site1.com_1.1.1.1
Enforcement Enabled
Policy site1_policy
Log Profile enabled
Log Profile firewall_log_profile

image277

Note

Leave all other fields using the default values.

  1. Click Update.

In order to test this geo-ip based rule, we need to simulate a connection from a prohibited country.

Many enterprise sites have some or all of their content served up by Content Delivery Networks (CDN). This common use case leverages proxies to provide static content closer to the end client machines for performance. Because of this there may only be one or two IP addresses connecting to the origin website. The original IP address of the client in this case is often mapped to a common HTTP header X-Forwarded-For or some variation. In this deployment, the BIG-IP can translate the original source of the request in the XFF to the source IP address.

There is an iRule applied to EXT_VIP_10_1_10_30 which SNAT’s the source IP to match the X-Forwarded-For header.

XFF-SNAT iRule syntax:

when HTTP_REQUEST {
   if { [HTTP::header exists "X-Forwarded-For"] } {
      snat [HTTP::header X-Forwarded-For]
      log local0. [HTTP::header X-Forwarded-For]
   }
}

Using curl will allow us to specify the X-Forwarded-For header to specify a source IP address. Let’s send a curl request to the VIP and specify the site we want to retrieve.

curl -k https://10.1.10.30/ -H 'Host: site1.com'

Since we did not define the header, the firewall will see the RFC-1918 address of the jump host (10.1.10.199).

Use the -H option in curl to define the X-Forwarded-For Header. This will trigger the iRule assigned to the External VIP to simulate specific IP addresses in the header

curl -k https://10.1.10.30/ -H 'Host:site1.com' -H 'X-Forwarded-For: 172.16.99.5'

Return to the firewall events (Security > Event Logs > Network > Firewall) log viewer and click Search to refresh. Observe the new entries.

Next, we will simulate a connection an IP address in Beijing, China. Browse to https://whatismyipaddress.com/ip/1.202.2.1 … this site shows that this IP address is most likely in Beijing, China.

Tip

You can check the geo classification of an address from the BIG-IP CLI using the command geoip_lookup 1.202.2.1

Now, issue the curl command and specify the source IP address with the following command:

curl -k https://10.1.10.30/ -H 'Host: site1.com' -H 'X-Forwarded-For: 1.202.2.1'

This connection attempt will fail. Return to the BIG-IP GUI and refresh the firewall event log.

Warning

you may need to zoom the browser or scroll right horizontally to see the “Action” column in the event logs.

image265

Create A Separate Policy For the site2 Virtual Server

Now we want to create a second policy to restrict access to site2.

  1. Navigate to Security > Network Firewall > Policies.
  2. Click Create. Specify the Name of site2_policy.

image257

Note

Leave all other fields using the default values.

  1. Click Finished.

Modify the policy with rules to allow TCP port 80 from host 172.16.99.5 and deny all other adresses. This time we will build the rules directly into the policy instead of using a rule list.

  1. Click on the site2_policy you just created, then click the Add Rule pull down on the upper right.
  2. Add the following rule at beginning:
Name allow_site_172.16.99.5
Protocol TCP (6)
Source Address: 172.16.99.5
Action Accept
Logging Enabled (checked)

Warning

You may need to scroll right horizontally or zoom out in your browser to see the Logging column.

image258

Note

Leave all other fields using the default values.

  1. Click Done Editing.

Now, create a Deny Log Network Firewall Rule.

Note

As we are deployed in “ADC Mode” where the default action on a virtual server is ‘Accept’, we must also create a default deny rule. For further discussion of Firewall vs ADC modes, please consult the F5 BIG-IP documentation at https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-network-firewall-policies-and-implementations/deploying-the-big-ip-network-firewall-in-adc-mode.html.

  1. Click Add Rule pull down on the upper-right. Add a rule to the end of the policy.
Name deny_log
Action Drop
Logging Enabled (checked)

Note

Leave all other fields using the default values.

  1. Click Done Editing.

image259

  1. Click Commit Changes To System.

image260

  1. Click Finished.

Apply the site2_policy policy to Virtual Server

  1. Navigate to Local Traffic > Virtual Servers.
  2. Click on int_vip_www.site2.com_2.2.2.2.
  3. Select the Security drop-down and select Policies.

Update the settings to reflect the values below:

Virtual Server int_vip_www.site2.com_2.2.2.2
Enforcement Enabled
Policy site2_policy
Log Profile enabled
Log Profile firewall_log_profile

image261

Note

Leave all other fields using the default values.

  1. Click Update.

From the jump host, we will now validate the behavior of the policy and the associated rule list.

Again, from the desktop, launch Cywin Terminal to allow us to specify the source IP address. This is done by leveraging an iRule which SNAT’s the source IP to match the X-Forwarded-For header. This iRule is applied to EXT_VIP_10_1_10_30.

First, let’s send a request from the IP address we allowed via firewall rule.

curl -k https://10.1.10.30/ -H 'Host:site2.com' -H 'X-Forwarded-For: 172.16.99.5'

Next, try the same request from an IP address that is not in the accept rule. This should fail.

curl -k https://10.1.10.30/ -H 'Host:site2.com' -H 'X-Forwarded-For: 172.16.99.7'

Review the logs in the BIG-IP and see that the traffic was dropped and logged.

This concludes Module 1 - Lab 4. Click Next to continue.