F5 Customer Demo

BIG-IP AFM – Use Port Lists, Address Lists,

Schedules, and Rule Lists
F5 vLab document version 14.1.A
Written for: TMOS® Architecture v14.1
Virtual images:
BIGIPA_v14.1, LAMP_7
Windows_Server_2008, Windows_7_External (v9)

Estimated Completion Time: 25 minutes

The purpose of this demo is to show how to use BIG-IP AFM to manage network firewall access for multiple web
applications using port lists, address lists, schedules, and rule lists. In this demo you will:

1. Show the current environment, which includes several virtual servers which allow access using
multiple ports.
2. Use the active rules page to create port lists, address lists, and a schedule.
3. Create a rule list containing several rules that uses the port lists, address lists, and schedule, and then
add the rule list to all virtual servers.
4. Make updates to the port lists, address list, schedule, and rule list.
5. Show the built-in BIG-IP AFM reports.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 5/7/2019

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Prepare the BIG-IP Demo Environment

Part 1 – Prepare the BIG-IP Demo Environment

• Required virtual images: BIGIPA_v14.1, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 10 minutes

Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.

− Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.

− Click Virtual Lab Environment (vLab).
− Ensure that 4.0 is selected in the version list, then click vLab_files, and then accept the software terms
and conditions.
− Download and then unzip Windows_Server_2008_v1.zip.

For Windows Users

− In VMware Workstation go to File > Open.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Edit virtual machine settings.
− Select Network Adapter, then in the Network connection section select the Custom option, and then
select VMnet 3. This will provide access to the internal network.

For Mac Users

− In VMware Fusion go to File > Import.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Settings.
− Click Network Adapter, and then click the vmnet4 option. (NOTE: Ensure you have selected the
option button.)

For All Users

− In the VMware library start up the Windows_Server_2008 image.
− If necessary, go to VM > Send Ctrl+Alt+Del, and then log in as F5DEMO\admin_user / password.
− If necessary, manually update the time to match your local time.
o Click the clock and select Change date and time settings…
o Click Change date and time, then manually adjust the time to the current time, then click OK twice.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 1
 Part 1 – Prepare the BIG-IP Demo Environment

Prep Task 2 – Provision AFM

Provision BIG-IP AFM on the BIG-IP system.

− In the VMware library start up the BIGIPA_v14.1 and Windows_7_External images.

− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following. (NOTE: Use the copy and paste guide in
the My Documents > Demo setup copy and paste guides directory.)
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license

→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).

− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal

Prep Task 3 – Create Firewall Policies

Create several network firewall policies that will be used during this demo, and then use TMSH commands to
create an event log profile and several web applications to use during the demo.

− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy server41_policy, and then click Repeat.
− Create four more policies named server41_policy, server43_policy, server44_policy,
and server45_policy.
− In putty copy and paste the following lines together:
tmsh create security log profile logging_profile { network add { logging_profile { filter { log-acl-match-accept enabled log-acl-match-drop enabled log-acl-
match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled } format { field-list { action
date_time dest_ip dest_port drop_reason protocol src_ip src_port } type field-list } publisher local-db-publisher } } }
tmsh create ltm pool server41_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm pool server42_pool members add { 10.1.20.42:0 { address 10.1.20.42 } }
tmsh create ltm pool server43_pool members add { 10.1.20.43:0 { address 10.1.20.43 } }
tmsh create ltm pool server44_pool members add { 10.1.20.44:0 { address 10.1.20.44 } }
tmsh create ltm pool server45_pool members add { 10.1.20.45:0 { address 10.1.20.45 } }
tmsh create ltm virtual server41_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server41_policy pool server41_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server42_virtual destination 10.1.10.42:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server42_policy pool server42_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server43_virtual destination 10.1.10.43:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server43_policy pool server43_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server44_virtual destination 10.1.10.44:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server44_policy pool server44_pool security-log-profiles add { logging_profile }
tmsh create ltm virtual server45_virtual destination 10.1.10.45:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-port enabled
source-address-translation { type automap } fw-enforced-policy server45_policy pool server45_pool security-log-profiles add { logging_profile }
tmsh save sys ucs demo_afm_port-address-rule-lists_v14.1.ucs
exit

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 2
 Part 2 – Deliver the BIG-IP Customer Demo

Part 2 – Deliver the BIG-IP Customer Demo

• Required virtual images: BIGIPA_v14.1, LAMP_v7, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 25 minutes

BEFORE THE DEMO – Restore an Archive File

Use TMSH to restore the archive file you created in Part 1.

− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, Windows_Server_2008, and

Windows_7_External images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_port-address-rule-lists_v14.1.ucs no-license

→NOTE: If you do not have the demo_afm_port-address-rule-lists_v14.1.ucs archive file, complete part 1 of this
document.

− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.

Demo Task 1 – Review Objects Used in the Demo

Examine the BIG-IP system objects that will be used during this demo.

− In the Configuration Utility open the Virtual Server List page.

We have a several virtual servers on this BIG-IP system, with each virtual server listening on all ports.
− Open a new tab and click the following bookmarks:
o Demos > http://10.1.10.41
o Demos > http://10.1.10.42:8080
o Demos > https://10.1.10.43
o Demos > https://10.1.10.44:8443
o Demos > ftp://10.1.10.45
− Close the tab, and then from the desktop open putty and connect to 10.1.10.42, and then close putty
without logging in.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.44, and then close the login dialog
box without logging in.
Currently we can access all available services on all virtual servers, including HTTP, HTTPS, FTP, SSH,
RDP, and ports 8080 and 8443.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 3
 Part 2 – Deliver the BIG-IP Customer Demo
− In the Configuration Utility examine the Virtual Servers page.
For the purposes of this demo let’s imagine this list includes 50 or more virtual servers. For all virtual
servers we need to create several firewall rules:
o We want to reject all requests from specific locations that we’ve identified as dangerous sources.
o We need to allow SSH and HTTPS access from a specific source within the dangerous location list
during work hours.
o We want to allow HTTP and HTTPS access from all other locations.
o We want to reject all other access.
To create all these rules for this many virtual servers would take a lot of time. In addition, if we need
to make any modifications to our specifications, it would require us to revisit all 50 virtual servers and
manually make the modifications. We’re going to streamline this process using port lists, address lists,
and rule lists.

Demo Task 2 – Create Port Lists, Address Lists, and a Schedule

Use the Active Rules page to create two port lists, two address lists, and a schedule.

− Open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the virtual server context.
− On the top-right hand side of the page use the << icon to expand the panel.

We use this panel to view, create, and modify port lists and address lists.
− Select Port List (2), and then click the + icon.
− For name enter app_ports, then add ports 80 and 443, and then click Commit.
− For Port List (3) click the + icon, then for name enter admin_ports, then add ports 22 and 443, and then
click Commit.
− For Address List (0) click the + icon.
− For name enter malicious_locations, then add the following entries, and then click Commit.
o 10.1.20.0/24
o Syrian Arab Republic
o Korea, Democratic People’s Republic of

→NOTE: In this example we’re using 10.1.20.0/24 to represent a location we’ve identified as a
source of multiple malicious requests.

− For Address List (1) click the + icon, then for name enter admin_list, then add 10.1.20.252/32, and then
click Commit.
− For Schedules (0) click the + icon.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 4
 Part 2 – Deliver the BIG-IP Customer Demo
− For name enter business_hours, then add the following entries, and then click Commit.
o Specify monday - friday
o Enter 08:00 – 17:00

Demo Task 3 – Create a Rule List

Create a rule list that uses the port lists, address lists, and schedule, and accomplishes the requirements
from task 1, and then add the rule list to the virtual servers.

− Open the Security > Network Firewall > Rule Lists page and click Create.
− Name the rule list all_lorax_apps, and then click Finished.
− Click all_lorax_apps, and then on the right-side of the page click Add.
− Use the following for the first rule, and then click Repeat.
Name accept_scheduled_admin_access
State Scheduled > Schedule: business_hours
Protocol TCP (NOTE: Do not change the protocol number of 6)
Source Address List: /Common/ admin_list (Click Add)
Destination Port List: /Common/admin_ports (Click Add)
Action Accept
Logging Enabled

− Use the following for the next rule, and then click Repeat.
Name reject_locations
State Enabled
Protocol Any
Source Address List: /Common/malicious_locations (Click Add)
NOTE: Delete the ssh_admin address list.
Action Reject
Logging Enabled

− Use the following for the next rule, and then click Repeat.
Name accept_app_ports
Protocol TCP
Source Any
Destination Port List: /Common/app_ports (Click Add)
Action Accept
Logging Enabled

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 5
 Part 2 – Deliver the BIG-IP Customer Demo
− Use the following for the last rule, and then click Finished.
Name reject_all
Protocol Any
Source Any
Destination Any
Action Reject
Logging Enabled

− Open the Security > Network Firewall > Active Rules page.
− From the Context list select Virtual Server, and then select server41_virtual.

− Click Add Rule List, and then select Add rule list to Virtual Server.

− Begin typing all into the field and then select /Common/all_lorax_apps, and then click Done Editing.
− From the Context > Virtual Server list select server42_virtual, and then click Add Rule List and
select Add rule list to Virtual Server.
− Begin typing all into the field and then select /Common/all_lorax_apps, and then click Done Editing.
− Repeat the previous two tasks for server43_virtual, server44_virtual, and server45_virtual.
− Once the rule list is attached to all five virtual servers click Commit Changes to System.
− Open a New incognito window (Chrome).

→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 6
 Part 2 – Deliver the BIG-IP Customer Demo
− In the incognito window click the following bookmarks:
o Demos > http://10.1.10.42 and Demos > http://10.1.10.43
o Demos > http://10.1.10.44:8080 and Demos > http://10.1.10.45:8080
o Demos > https://10.1.10.41 and Demos > https://10.1.10.42
o Demos > https://10.1.10.44:8443 and Demos > https://10.1.10.45:8443
o Demos > ftp://10.1.10.42 and Demos > ftp://10.1.10.43
− Open putty and connect to 10.1.10.45, and then close putty.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close RDP.
The Windows workstation, which isn’t in one of the malicious locations, now has only HTTP and
HTTPS access to all virtual servers.
− On the LAMP desktop use Firefox to access http://10.1.10.41.
− Edit the URL to http://10.1.10.42:8080.
− Edit the URL to https://10.1.10.43.
− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.44

− Type Ctrl+C, and then type the following. (Type yes when/if prompted.)
ssh root@10.1.10.45

The LAMP workstation, which is locations within a malicious location, but is also on IP address
10.1.20.252, and is connecting during work hours, has only HTTPS and SSH access to all virtual
servers.

Demo Task 4 – Update Port Lists, Address Lists, Rules Lists, and Schedules
Make updates to the port lists, address lists, schedule, and rule list you created earlier.

− In the Configuration Utility, on the Active Rules page use the << icon to open the panel.

Admin users in the malicious locations should no longer have SSH access
− Select Port List (4), and then select admin_ports.
− In the Properties panel click the gear icon and select Edit.

− Select port 22 and click the X on the right-side, and then click Commit.
− On the LAMP desktop in the Terminal window at the prompt type the following lines separately.
ssh root@10.1.10.41
ssh root@10.1.10.42
ssh root@10.1.10.43
ssh root@10.1.10.44

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 7
 Part 2 – Deliver the BIG-IP Customer Demo
− In Firefox edit the URL to https://10.1.10.43.
Within just seconds, the LAMP workstation no longer has SSH access to any virtual servers, but it still
has HTTPS access to all virtual servers.

We’ll simulate that it’s now after work hours

− In the Configuration Utility select Schedules (1), and then select business_hours.
− In the Properties panel click the gear icon and select Edit.
− Edit either the start or end time to be outside of the current time, and then click Commit.
− On the LAMP desktop reload the https://10.1.10.43 page.
− Edit the URL to https://10.1.10.44.
Now that it’s outside of work hours, the LAMP workstation no longer has HTTPS access, as it’s
matching the same rule as all other malicious locations.

Add new services for all virtual servers

− In the Configuration Utility under Port List (4) select app_ports, and then click the gear icon and
select Edit.
− Add port 21 and a port range of 50000-59999.
− Add port 8080, and then click Commit.
− In the incognito window click the following bookmarks:
o Demos > http://10.1.10.41:8080 and Demos > http://10.1.10.42:8080
o Demos > https://10.1.10.43:8443 and Demos > https://10.1.10.44:8443
o Demos > ftp://10.1.10.42 and Demos > ftp://10.1.10.43

Add a new location to the address list

− In the Configuration Utility select Address List (2), then select malicious_locations, and then click the
gear icon and select Edit.
− Add Iran, Islamic Republic of, and then click Commit.

Add a new rule to the rule list

− Open the Network Firewall > Rule Lists page and click all_lorax_apps, and then click Add.
− Use the following for the first rule, and then click Finished.
Name accept_remote_admin
State Scheduled > Schedule: business_hours
Protocol TCP
Source Address: 10.1.10.199/32 (Click Add)
Destination Port: 3389 (Click Add)
Action Accept
Logging Enabled
Notice that the new rule has been placed at the bottom of the list, after the reject_all rule.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 8
 Part 2 – Deliver the BIG-IP Customer Demo
− Click Reorder, then use your mouse to move accept_remote_admin to the top of the list, and then
click Update.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then close RDP.
We’re still unable to use RDP to access our virtual servers. Do you know why? Remember we changed
our schedule, thus making it outside of business hours. Let’s now simulate that it’s once again within
business hours.

We’ll simulate that it’s now work hours

− In the Configuration Utility open the Active Rules page and use the << icon to open the panel, then
select Schedules (1), and then select business_hours.
− Click the gear icon and select Edit, then edit either the time to be within business hours, and then
click Commit.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then click Cancel.
− Connect to 10.1.10.43, and then close the login dialog box without logging in.
From the trusted administrator host workstation (10.1.10.199) during work hours, we now have
Remote Desktop Connection access to all virtual servers.

Demo Task 5 – View Firewall Reporting

View the built-in BIG-IP AFM reporting.

− In the Configuration Utility open the Security >Reporting > Network > Enforced Rules page, and then
examine the Details section.
The default report shows all the network firewall contexts (virtual servers, self IP addresses, in
addition to global and route domain) that were matched in the last hour. We can see how many times
each virtual server processed either an Accept or a Reject rule.

→NOTE: It can take up to five minutes for all the report data to display.

− Change the Chart type to Stacked.

− From the View By list select Source IP Addresses (Enforced).

We can see how many times each rule within the rule list was matched.
− In the Details section click /Common/all_lorax_apps:reject_all.
This displays how many times this rule was matched for each virtual server.
− From the View By list select Destination Ports (Enforced).
This displays how many times each port was rejected as a result of this rule.

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.A Page | 9
 Part 2 – Deliver the BIG-IP Customer Demo
− Click Export, and then click Export again.

− Open the downloaded PDF.

At any time, we can export the report data. The export will include the exact current contents
displayed on the reports page.

That concludes this demonstration on using BIG-IP AFM to manage network firewall access for
multiple virtual servers using port lists, address lists, schedules, and rules lists.

AFTER THE DEMO –Reset the VMware Environment

− Click Log out, and then close the Configuration Utility.
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license
reboot

WWFE Lab Guides –BIG-IP AFM 04 Demo – Use Port Lists, Address Lists, Schedules, and Rule Lists; v14.1.APage | 10