F5 Customer Demo

BIG-IP AFM – Use Global Rules

F5 vLab document version 14.1.A
Written for: TMOS® Architecture v14.1
Virtual images:
BIGIPA_v14.1, LAMP_7
Windows_Server_2008, Windows_7_External (v9)

Estimated Completion Time: 15 minutes

The purpose of this demo is to show how to use BIG-IP AFM to create global rules to control access to virtual
servers and self IP address through the BIG-IP system. In this demo you will:

1. Show how current traffic to virtual servers and self IP addresses is allowed, including the ability to
ping all virtual servers and self IP addresses.
2. Create a BIG-IP AFM global rule to drop all ICMP ping requests.
3. Create a global rule blocking request from specific locations, including the network containing the
LAMP server, Syria, and North Korea.
4. Use the accept decisively rule action to override a virtual server rule that rejects SSH access so that a
specific administrator will have SSH access to all virtual servers.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 5/7/2019

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Prepare the BIG-IP Demo Environment

Part 1 – Prepare the BIG-IP Demo Environment

• Required virtual images: BIGIPA_v14.1, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 10 minutes

Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.

− Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.

− Click Virtual Lab Environment (vLab).
− Ensure that 4.0 is selected in the version list, then click vLab_files, and then accept the software terms
and conditions.
− Download and then unzip Windows_Server_2008_v1.zip.

For Windows Users

− In VMware Workstation go to File > Open.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Edit virtual machine settings.
− Select Network Adapter, then in the Network connection section select the Custom option, and then
select VMnet 3. This will provide access to the internal network.

For Mac Users

− In VMware Fusion go to File > Import.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Settings.
− Click Network Adapter, and then click the vmnet4 option. (NOTE: Ensure you have selected the
option button.)

For All Users

− In the VMware library start up the Windows_Server_2008 image.
− If necessary, go to VM > Send Ctrl+Alt+Del, and then log in as F5DEMO\admin_user / password.
− If necessary, manually update the time to match your local time.
o Click the clock and select Change date and time settings…
o Click Change date and time, then manually adjust the time to the current time, then click OK twice.

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 1
 Part 1 – Prepare the BIG-IP Demo Environment

Prep Task 2 – Provision AFM

Provision BIG-IP AFM on the BIG-IP system.

− In the VMware library start up the BIGIPA_v14.1 and Windows_7_External images.

− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following. (NOTE: Use the copy and paste guide in
the My Documents > Demo setup copy and paste guides directory.)
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license

→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).

− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal

Prep Task 2 – Create Firewall Policies

Create three network firewall policies that will be used during this demo, then attach the bigip_global_policy to
the global context, and then use TMSH commands to create two web applications to use during the demo.

− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy server41_policy, and then click Repeat.
− Create two more policies named server42_policy and bigip_global_policy.
− Open the Security > Network Firewall > Active Rules page and click Global.
− From the Network Firewall > Enforcement list select Enabled, and then click Update.
− In putty copy and paste the following lines together:
tmsh create ltm pool server41_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm pool server42_pool members add { 10.1.20.42:0 { address 10.1.20.42 } }
tmsh create ltm virtual server41_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server41_policy pool server41_pool
tmsh create ltm virtual server42_virtual destination 10.1.10.42:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server42_policy pool server42_pool
tmsh save sys ucs demo_afm_global_rules_v14.1.ucs
exit

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 2
 Part 2 – Deliver the BIG-IP Customer Demo

Part 2 – Deliver the BIG-IP Customer Demo

• Required virtual images: BIGIPA_v14.1, LAMP_v7, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 15 minutes

BEFORE THE DEMO – Restore an Archive File

Use TMSH to restore the archive file you created in Part 1.

− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, Windows_Server_2008, and

Windows_7_External images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_global_rules_v14.1.ucs no-license

→NOTE: If you do not have the demo_afm_global_rules_v14.1.ucs archive file, complete part 1 of this
document.

− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.

Demo Task 1 – Review Current Access Through the BIG-IP System

Examine the how traffic is currently allowed through the BIG-IP system.

− In the Configuration Utility open the Virtual Server List page.

We have two virtual servers listening on all ports: 10.1.10.41 and 10.1.10.42.
− Open a new tab and click the following bookmarks:
o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.42
o Demos > https://10.1.10.42:8443
o Demos > ftp://10.1.10.41
− From the desktop open putty and connect to 10.1.10.41, and then close putty without logging in.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then close the login dialog
box without logging in.
Currently we can access all available services on all both virtual servers, including HTTP, HTTPS, FTP,
SSH, RDP, and ports 8080 and 8443.
− In the Configuration Utility open the Network > Self IPs page and click 10.1.10.240.
This is our external self IP address, which allows port 443, enabling us to access the
BIG-IP Configuration Utility.

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 3
 Part 2 – Deliver the BIG-IP Customer Demo
− In the second tab edit the URL to https://10.1.10.240, and then close the tab.
− Open a command prompt and type the following as separate lines.
ping 10.1.10.240
ping 10.1.10.41

Currently the BIG-IP system accepts and responds to ICMP requests for self IP addresses and
virtual servers.

Demo Task 2 – Create a Global Rules to Drop ICMP Traffic

Use the Active Rules page to create a global rule that drops all ICMP requests.

− In the Configuration Utility open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the global context and the virtual server context.
− Click Add Rule, and then select Add rule to Global.

− Use the following information for the new rule, and then click Done Editing.
Name drop_icmp
Protocol ICMP
Action Reject

− Click Commit Changes to System.

− In the command prompt repeat the following command.
ping 10.1.10.240

We didn’t get successful ICMP responses, however we did receive “Destination net unreachable”
messages from the BIG-IP system.
− In the Configuration Utility click drop_icmp.
− From the Action list select Drop, then click Done Editing, and then click Commit Changes to System.
− In the command prompt repeat the following commands separately.
ping 10.1.10.240 (type Ctrl+C after a couple of timed out messages.)
ping 10.1.10.41

We didn’t receive ICMP responses or destination unreachable messages from the BIG-IP system.
BIG-IP AFM is now blocking all ICMP messages.
− Close the command prompt.

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 4
 Part 2 – Deliver the BIG-IP Customer Demo

Demo Task 3 – Reject Traffic from Specific Locations

Create a global rule to reject all traffic from specific locations.

− On the LAMP desktop open Firefox and access http://10.1.10.41.

− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.42

This workstation is in a different network (10.1.20.0). We’ve identified this network as the source of
malicious request and would like to block all access from this location, an in addition we’d like to
block all access from Syria and North Korea.
− In the Configuration Utility on the Active Rules page click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name reject_specific_locations
Source 10.1.20.0/24 (Press Enter or click Add), Syrian Arab Republic
Korea, Democratic People’s Republic of
Action Reject

− Open a New incognito window (Chrome).

→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.

− In the incognito window click the following bookmarks:

o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.42
− On the LAMP desktop in Firefox edit the URL to http://10.1.10.42.
− Edit the URL to http://10.1.10.42:8080.
− In the Terminal window type Ctrl+C, and then at the prompt repeat the following command.
ssh root@10.1.10.42

While the windows workstation, connecting from a location that hasn’t been added to the rejected
location list, is still able to access all virtual servers, the LAMP workstation, connecting from an
unauthorized location, is no longer able to access any resources through BIG-IP AFM.

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 5
 Part 2 – Deliver the BIG-IP Customer Demo

Demo Task 4 – Reject Traffic for Specific Ports

Create a global rule to reject all traffic on specific ports.

− In the Configuration Utility on the Active Rules page click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name reject_ports
Protocol TCP
Destination 3389 (Press Enter or click Add)
8080 (Press Enter or click Add)
8443 (Press Enter or click Add)
Action Reject

− In the incognito window click the following bookmarks:

o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.42
o Demos > https://10.1.10.42:8443
o Demos > ftp://10.1.10.41
− Close the page, and then go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then
close RDP.
We’re now limited to accessing the virtual servers using HTTP, HTTPS, and FTP only.

Demo Task 5 – Use the Global Accept Decisively Action

Use the action of Accept Decisively with a global rule.

− In the Configuration Utility on the Active Rules page, from the Context list select Virtual Server, and then
select server41_virtual.

− Click Add Rule, and then select Add rule to Virtual Server.
− Use the following information for the new rule, then click Done Editing, and then
click Commit Changes to System.
Name reject_ssh
Protocol TCP
Destination 22 (Press Enter or click Add)
Action Reject

− Open putty and connect to 10.1.10.41, and then close putty.

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 6
 Part 2 – Deliver the BIG-IP Customer Demo
− Open a new putty session and connect to 10.1.10.42, and then close putty.
We’re now specifically blocked from SSH access for virtual server 10.1.10.41 only, while still having
SSH access to virtual server 10.1.10.42. However, the BIG-IP system administrator, using workstation
10.1.10.199, did not want this. They wanted to have SSH access to all virtual servers, regardless of any
rules placed at the virtual server level.
− Click Add Rule, and then select Add rule to Global.
− Add a rule using the following information, then click Done Editing, and then
click Commit Changes to System.
Name accept_ssh_for_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept

− Open putty and connect to 10.1.10.41, and then close putty.

We’re still blocked, because when a user matches a global Accept rule, BIG-IP AFM will then check to
see if the request also matches a more specific rule at a virtual server or self IP context. In this case,
although we matched the global Accept rule, we also matched the virtual server’s Reject rule.
− In the Configuration Utility click accept_ssh_for_admin, then from the Action list
select Accept Decisively, then click Done Editing, and then click Commit Changes to System.
− Open putty and connect to 10.1.10.41, and then close putty.
We can now access virtual server 10.1.10.41 using SSH. When a user matches a
global Accept Decisively rule, BIG-IP AFM immediately accepts the request and does not check
any other rules.

That concludes this demonstration on using BIG-IP AFM global rules to control traffic through
the BIG-IP system.

AFTER THE DEMO –Reset the VMware Environment

− Click Log out, and then close the Configuration Utility.
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license
reboot

WWFE Lab Guides –BIG-IP AFM 01 Demo – Use Global Rules; v14.1.A Page | 7