Professional Documents
Culture Documents
F5 Customer Demo: BIG-IP AFM - Use Port Lists, Address Lists, Schedules, and Rule Lists
F5 Customer Demo: BIG-IP AFM - Use Port Lists, Address Lists, Schedules, and Rule Lists
The purpose of this demo is to show how to use BIG-IP AFM to manage network firewall access for multiple web
applications using port lists, address lists, schedules, and rule lists. In this demo you will:
1. Show the current environment, which includes several virtual servers which allow access using
multiple ports.
2. Use the active rules page to create port lists, address lists, and a schedule.
3. Create a rule list containing several rules that uses the port lists, address lists, and schedule, and then
add the rule list to all virtual servers.
4. Make updates to the port lists, address list, schedule, and rule list.
5. Show the built-in BIG-IP AFM reports.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Prepare the BIG-IP Demo Environment
Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 1
Part 1 – Prepare the BIG-IP Demo Environment
→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).
− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal
− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy server41_policy, and then click Repeat.
− Create four more policies named server41_policy, server43_policy, server44_policy,
and server45_policy.
− In putty copy and paste the following lines together:
tmsh create security log profile logging_profile { network add { logging_profile { filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-
match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled } format { field-list { action
date_time dest_ip dest_port drop_reason protocol src_ip src_port } type field-list } publisher local-db-publisher } } }
tmsh create ltm pool server41_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm pool server42_pool members add { 10.1.20.42:0 { address 10.1.20.42 } }
tmsh create ltm pool server43_pool members add { 10.1.20.43:0 { address 10.1.20.43 } }
tmsh create ltm pool server44_pool members add { 10.1.20.44:0 { address 10.1.20.44 } }
tmsh create ltm pool server45_pool members add { 10.1.20.45:0 { address 10.1.20.45 } }
tmsh create ltm virtual server41_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server41_policy pool server41_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server42_virtual destination 10.1.10.42:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server42_policy pool server42_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server43_virtual destination 10.1.10.43:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server43_policy pool server43_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server44_virtual destination 10.1.10.44:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server44_policy pool server44_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server45_virtual destination 10.1.10.45:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server45_policy pool server45_pool security-log-profiles add { logging_profile }
tmsh save sys ucs demo_afm_port-address-rule-lists_v14.1.ucs
exit
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 2
Part 2 – Deliver the BIG-IP Customer Demo
→NOTE: If you do not have the demo_afm_port-address-rule-lists_v14.1.ucs archive file, complete part 1 of this
document.
− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 3
Part 2 – Deliver the BIG-IP Customer Demo
− In the Configuration Utility examine the Virtual Servers page.
For the purposes of this demo let’s imagine this list includes 50 or more virtual servers. For all virtual
servers we need to create several firewall rules:
o We want to reject all requests from specific locations that we’ve identified as dangerous sources.
o We need to allow SSH and HTTPS access from a specific source within the dangerous location list
during work hours.
o We want to allow HTTP and HTTPS access from all other locations.
o We want to reject all other access.
To create all these rules for this many virtual servers would take a lot of time. In addition, if we need
to make any modifications to our specifications, it would require us to revisit all 50 virtual servers and
manually make the modifications. We’re going to streamline this process using port lists, address lists,
and rule lists.
− Open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the virtual server context.
− On the top-right hand side of the page use the << icon to expand the panel.
We use this panel to view, create, and modify port lists and address lists.
− Select Port List (2), and then click the + icon.
− For name enter app_ports, then add ports 80 and 443, and then click Commit.
− For Port List (3) click the + icon, then for name enter admin_ports, then add ports 22 and 443, and then
click Commit.
− For Address List (0) click the + icon.
− For name enter malicious_locations, then add the following entries, and then click Commit.
o 10.1.20.0/24
o Syrian Arab Republic
o Korea, Democratic People’s Republic of
→NOTE: In this example we’re using 10.1.20.0/24 to represent a location we’ve identified as a
source of multiple malicious requests.
− For Address List (1) click the + icon, then for name enter admin_list, then add 10.1.20.252/32, and then
click Commit.
− For Schedules (0) click the + icon.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 4
Part 2 – Deliver the BIG-IP Customer Demo
− For name enter business_hours, then add the following entries, and then click Commit.
o Specify monday - friday
o Enter 08:00 – 17:00
− Open the Security > Network Firewall > Rule Lists page and click Create.
− Name the rule list all_lorax_apps, and then click Finished.
− Click all_lorax_apps, and then on the right-side of the page click Add.
− Use the following for the first rule, and then click Repeat.
Name accept_scheduled_admin_access
State Scheduled > Schedule: business_hours
Protocol TCP (NOTE: Do not change the protocol number of 6)
Source Address List: /Common/ admin_list (Click Add)
Destination Port List: /Common/admin_ports (Click Add)
Action Accept
Logging Enabled
− Use the following for the next rule, and then click Repeat.
Name reject_locations
State Enabled
Protocol Any
Source Address List: /Common/malicious_locations (Click Add)
NOTE: Delete the ssh_admin address list.
Action Reject
Logging Enabled
− Use the following for the next rule, and then click Repeat.
Name accept_app_ports
Protocol TCP
Source Any
Destination Port List: /Common/app_ports (Click Add)
Action Accept
Logging Enabled
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 5
Part 2 – Deliver the BIG-IP Customer Demo
− Use the following for the last rule, and then click Finished.
Name reject_all
Protocol Any
Source Any
Destination Any
Action Reject
Logging Enabled
− Open the Security > Network Firewall > Active Rules page.
− From the Context list select Virtual Server, and then select server41_virtual.
− Click Add Rule List, and then select Add rule list to Virtual Server.
− Begin typing all into the field and then select /Common/all_lorax_apps, and then click Done Editing.
− From the Context > Virtual Server list select server42_virtual, and then click Add Rule List and
select Add rule list to Virtual Server.
− Begin typing all into the field and then select /Common/all_lorax_apps, and then click Done Editing.
− Repeat the previous two tasks for server43_virtual, server44_virtual, and server45_virtual.
− Once the rule list is attached to all five virtual servers click Commit Changes to System.
− Open a New incognito window (Chrome).
→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 6
Part 2 – Deliver the BIG-IP Customer Demo
− In the incognito window click the following bookmarks:
o Demos > http://10.1.10.42 and Demos > http://10.1.10.43
o Demos > http://10.1.10.44:8080 and Demos > http://10.1.10.45:8080
o Demos > https://10.1.10.41 and Demos > https://10.1.10.42
o Demos > https://10.1.10.44:8443 and Demos > https://10.1.10.45:8443
o Demos > ftp://10.1.10.42 and Demos > ftp://10.1.10.43
− Open putty and connect to 10.1.10.45, and then close putty.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close RDP.
The Windows workstation, which isn’t in one of the malicious locations, now has only HTTP and
HTTPS access to all virtual servers.
− On the LAMP desktop use Firefox to access http://10.1.10.41.
− Edit the URL to http://10.1.10.42:8080.
− Edit the URL to https://10.1.10.43.
− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.44
− Type Ctrl+C, and then type the following. (Type yes when/if prompted.)
ssh root@10.1.10.45
The LAMP workstation, which is locations within a malicious location, but is also on IP address
10.1.20.252, and is connecting during work hours, has only HTTPS and SSH access to all virtual
servers.
Demo Task 4 – Update Port Lists, Address Lists, Rules Lists, and Schedules
Make updates to the port lists, address lists, schedule, and rule list you created earlier.
− In the Configuration Utility, on the Active Rules page use the << icon to open the panel.
Admin users in the malicious locations should no longer have SSH access
− Select Port List (4), and then select admin_ports.
− In the Properties panel click the gear icon and select Edit.
− Select port 22 and click the X on the right-side, and then click Commit.
− On the LAMP desktop in the Terminal window at the prompt type the following lines separately.
ssh root@10.1.10.41
ssh root@10.1.10.42
ssh root@10.1.10.43
ssh root@10.1.10.44
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 7
Part 2 – Deliver the BIG-IP Customer Demo
− In Firefox edit the URL to https://10.1.10.43.
Within just seconds, the LAMP workstation no longer has SSH access to any virtual servers, but it still
has HTTPS access to all virtual servers.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 8
Part 2 – Deliver the BIG-IP Customer Demo
− Click Reorder, then use your mouse to move accept_remote_admin to the top of the list, and then
click Update.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then close RDP.
We’re still unable to use RDP to access our virtual servers. Do you know why? Remember we changed
our schedule, thus making it outside of business hours. Let’s now simulate that it’s once again within
business hours.
− In the Configuration Utility open the Security >Reporting > Network > Enforced Rules page, and then
examine the Details section.
The default report shows all the network firewall contexts (virtual servers, self IP addresses, in
addition to global and route domain) that were matched in the last hour. We can see how many times
each virtual server processed either an Accept or a Reject rule.
→NOTE: It can take up to five minutes for all the report data to display.
We can see how many times each rule within the rule list was matched.
− In the Details section click /Common/all_lorax_apps:reject_all.
This displays how many times this rule was matched for each virtual server.
− From the View By list select Destination Ports (Enforced).
This displays how many times each port was rejected as a result of this rule.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 9
Part 2 – Deliver the BIG-IP Customer Demo
− Click Export, and then click Export again.
That concludes this demonstration on using BIG-IP AFM to manage network firewall access for
multiple virtual servers using port lists, address lists, schedules, and rules lists.
WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.APage | 10