Professional Documents
Culture Documents
The purpose of this demo is to show how to use BIG-IP AFM to create global rules to control access to virtual
servers and self IP address through the BIG-IP system. In this demo you will:
1. Show how current traffic to virtual servers and self IP addresses is allowed, including the ability to
ping all virtual servers and self IP addresses.
2. Create a BIG-IP AFM global rule to drop all ICMP ping requests.
3. Create a global rule blocking request from specific locations, including the network containing the
LAMP server, Syria, and North Korea.
4. Use the accept decisively rule action to override a virtual server rule that rejects SSH access so that a
specific administrator will have SSH access to all virtual servers.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Prepare the BIG-IP Demo Environment
Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 1
Part 1 – Prepare the BIG-IP Demo Environment
→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).
− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal
− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy server41_policy, and then click Repeat.
− Create two more policies named server42_policy and bigip_global_policy.
− Open the Security > Network Firewall > Active Rules page and click Global.
− From the Network Firewall > Enforcement list select Enabled, and then click Update.
− In putty copy and paste the following lines together:
tmsh create ltm pool server41_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm pool server42_pool members add { 10.1.20.42:0 { address 10.1.20.42 } }
tmsh create ltm virtual server41_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server41_policy pool server41_pool
tmsh create ltm virtual server42_virtual destination 10.1.10.42:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server42_policy pool server42_pool
tmsh save sys ucs demo_afm_global_rules_v14.1.ucs
exit
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 2
Part 2 – Deliver the BIG-IP Customer Demo
→NOTE: If you do not have the demo_afm_global_rules_v14.1.ucs archive file, complete part 1 of this
document.
− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 3
Part 2 – Deliver the BIG-IP Customer Demo
− In the second tab edit the URL to https://10.1.10.240, and then close the tab.
− Open a command prompt and type the following as separate lines.
ping 10.1.10.240
ping 10.1.10.41
Currently the BIG-IP system accepts and responds to ICMP requests for self IP addresses and
virtual servers.
− In the Configuration Utility open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the global context and the virtual server context.
− Click Add Rule, and then select Add rule to Global.
− Use the following information for the new rule, and then click Done Editing.
Name drop_icmp
Protocol ICMP
Action Reject
We didn’t get successful ICMP responses, however we did receive “Destination net unreachable”
messages from the BIG-IP system.
− In the Configuration Utility click drop_icmp.
− From the Action list select Drop, then click Done Editing, and then click Commit Changes to System.
− In the command prompt repeat the following commands separately.
ping 10.1.10.240 (type Ctrl+C after a couple of timed out messages.)
ping 10.1.10.41
We didn’t receive ICMP responses or destination unreachable messages from the BIG-IP system.
BIG-IP AFM is now blocking all ICMP messages.
− Close the command prompt.
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 4
Part 2 – Deliver the BIG-IP Customer Demo
This workstation is in a different network (10.1.20.0). We’ve identified this network as the source of
malicious request and would like to block all access from this location, an in addition we’d like to
block all access from Syria and North Korea.
− In the Configuration Utility on the Active Rules page click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name reject_specific_locations
Source 10.1.20.0/24 (Press Enter or click Add), Syrian Arab Republic
Korea, Democratic People’s Republic of
Action Reject
→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.
While the windows workstation, connecting from a location that hasn’t been added to the rejected
location list, is still able to access all virtual servers, the LAMP workstation, connecting from an
unauthorized location, is no longer able to access any resources through BIG-IP AFM.
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 5
Part 2 – Deliver the BIG-IP Customer Demo
− In the Configuration Utility on the Active Rules page click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name reject_ports
Protocol TCP
Destination 3389 (Press Enter or click Add)
8080 (Press Enter or click Add)
8443 (Press Enter or click Add)
Action Reject
− In the Configuration Utility on the Active Rules page, from the Context list select Virtual Server, and then
select server41_virtual.
− Click Add Rule, and then select Add rule to Virtual Server.
− Use the following information for the new rule, then click Done Editing, and then
click Commit Changes to System.
Name reject_ssh
Protocol TCP
Destination 22 (Press Enter or click Add)
Action Reject
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 6
Part 2 – Deliver the BIG-IP Customer Demo
− Open a new putty session and connect to 10.1.10.42, and then close putty.
We’re now specifically blocked from SSH access for virtual server 10.1.10.41 only, while still having
SSH access to virtual server 10.1.10.42. However, the BIG-IP system administrator, using workstation
10.1.10.199, did not want this. They wanted to have SSH access to all virtual servers, regardless of any
rules placed at the virtual server level.
− Click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name accept_ssh_for_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept
That concludes this demonstration on using BIG-IP AFM global rules to control traffic through
the BIG-IP system.
WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 7