F5 Customer Demo

BIG-IP AFM – Use AFM in ADC Mode

F5 vLab document version 14.1.A
Written for: TMOS® Architecture v14.1
Virtual images:
BIGIPA_v14.1, LAMP_7
Windows_Server_2008, Windows_7_External (v9)

Estimated Completion Time: 20 minutes

The purpose of this demo is to show how to use BIG-IP AFM in its default ADC mode, where requests for all
virtual servers and self IP address is accepted. In this demo you will:

1. Show how the BIG-IP AFM ADC mode allows access to all virtual servers and self IP addresses from
both external and internal users.
2. Create rules for a virtual server to reject requests from specific locations and for specific ports.
3. Create rules for the external self IP address to only accept request on HTTPS from a single source.
4. Show the built-in BIG-IP AFM logging and reports.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 5/7/2019

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Prepare the BIG-IP Demo Environment

Part 1 – Prepare the BIG-IP Demo Environment

• Required virtual images: BIGIPA_v14.1, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 10 minutes

Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.

− Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.

− Click Virtual Lab Environment (vLab).
− Ensure that 4.0 is selected in the version list, then click vLab_files, and then accept the software terms
and conditions.
− Download and then unzip Windows_Server_2008_v1.zip.

For Windows Users

− In VMware Workstation go to File > Open.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Edit virtual machine settings.
− Select Network Adapter, then in the Network connection section select the Custom option, and then
select VMnet 3. This will provide access to the internal network.

For Mac Users

− In VMware Fusion go to File > Import.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Settings.
− Click Network Adapter, and then click the vmnet4 option. (NOTE: Ensure you have selected the
option button.)

For All Users

− In the VMware library start up the Windows_Server_2008 image.
− If necessary, go to VM > Send Ctrl+Alt+Del, and then log in as F5DEMO\admin_user / password.
− If necessary, manually update the time to match your local time.
o Click the clock and select Change date and time settings…
o Click Change date and time, then manually adjust the time to the current time, then click OK twice.

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 1
 Part 1 – Prepare the BIG-IP Demo Environment

Prep Task 2 – Provision AFM

Provision BIG-IP AFM on the BIG-IP system.

− In the VMware library start up the BIGIPA_v14.1 and Windows_7_External images.

− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following. (NOTE: Use the copy and paste guide in
the My Documents > Demo setup copy and paste guides directory.)
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license

→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).

− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal

Prep Task 3 – Create Firewall Policies

Create two network firewall policies that will be used during this demo, and then use TMSH commands to create
an event log profile and a web application to use during the demo.

− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy lorax_policy, and then click Repeat.
− Create another policy named selfIP_10.1.10.240_policy.
− In putty copy and paste the following lines together:
tmsh modify net self 10.1.10.240 fw-enforced-policy selfIP_10.1.10.240_policy allow-service add { tcp:22 }
tmsh create security log profile logging_profile { network add { logging_profile { filter { log-acl-match-accept enabled log-acl-match-drop
enabled log-acl-match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled }
format { field-list { action date_time dest_ip dest_port drop_reason protocol src_ip src_port } type field-list } publisher local-db-publisher
} } }
tmsh create ltm pool lorax_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm virtual lorax_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy lorax_policy pool lorax_pool security-log-profiles add {
logging_profile }
tmsh save sys ucs demo_afm_adc_mode_v14.1.ucs
exit

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 2
 Part 2 – Deliver the BIG-IP Customer Demo

Part 2 – Deliver the BIG-IP Customer Demo

• Required virtual images: BIGIPA_v14.1, LAMP_v7, Windows_Server_2008_v1, Windows_7_External
• Estimated completion time: 20 minutes

BEFORE THE DEMO – Restore an Archive File

Use TMSH to restore the archive file you created in Part 1.

− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, Windows_Server_2008, and

Windows_7_External images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_adc_mode_v14.1.ucs no-license

→NOTE: If you do not have the demo_afm_adc_mode_v14.1.ucs archive file, complete part 1 of this document.

− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.

Demo Task 1 – Review Current Access Through the BIG-IP System

Examine the how traffic is currently allowed through the BIG-IP system.

− In the Configuration Utility open the Virtual Server List page.

We have a virtual server using 10.1.10.41 listening on all ports.
− Open a new tab and click the following bookmarks:
o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.41
o Demos > https://10.1.10.41:8443
o Demos > ftp://10.1.10.41
− From the desktop open putty and connect to 10.1.10.41, and then close putty without logging in.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close the login dialog
box without logging in.
From the Windows workstation, on the external network, we can access lorax_virtual on several
ports, including HTTP, HTTPS, FTP, SSH, RDP, and ports, 8080 and 8443.
− In the Configuration Utility open the Network > Self IPs page and click 10.1.10.240.
We have an external self IP address of 10.1.10.240 which allows access on ports 22 and 443.
− In the FTP tab edit the URL to https://10.1.10.240, and then close the tab without logging in.

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 3
 Part 2 – Deliver the BIG-IP Customer Demo
− Open putty and connect to 10.1.10.240, and then close putty without logging in.
From the Windows workstation, on the external network, we can use the external self IP addresses to
access and manage the BIG-IP system using both HTTPS and SSH.
− On the LAMP desktop use Firefox to access http://10.1.10.41.
− Edit the URL to https://10.1.10.41:8080.
− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.41

From the LAMP workstation, on the internal network, we can also access lorax_virtual using all
services.
− In the Configuration Utility open the Security > Options > Network Firewall page, and then examine
the Default Firewall Action settings.
These are the default settings when you provision BIG-IP AFM. Whenever a request comes in for a
virtual server or a self IP address, BIG-IP AFM will accept the request. This is also referred to as
running BIG-IP AFM in “ADC mode”. In ADC mode we don’t need to create accept firewall rules for
virtual servers or self IP addresses because access is granted by default, however we may want to
limit access by source location or by destination port.

Demo Task 2 – Create Rules for the Virtual Server

Use the Active Rules page to create rules for the virtual server.

− In the Configuration Utility open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the virtual server and self IP address contexts.
− From the Context list select Virtual Server, and then select lorax_virtual.

For lorax_virtual we want to reject requests from specific locations, and we also want to reject
requests for specific ports.
− Click Add Rule, and then select Add rule to Virtual Server.

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 4
 Part 2 – Deliver the BIG-IP Customer Demo
− Use the following information for the new rule, and then click Done Editing.
Name reject_specific_locations
Source 10.1.20.0/24 (Press Enter or click Add), Syrian Arab Republic
Korea, Democratic People’s Republic of
Action Reject
Logging Yes (selected)

→NOTE: In this example we’re using 10.1.20.0/24 to represent a location we’ve identified as a
source of multiple malicious requests.

− Click Add Rule and select Add rule to Virtual Server, then use the following information for the new rule,
and then click Done Editing.
Name reject_ports
Protocol TCP
Destination 21 (Press Enter or click Add)
22 (Press Enter or click Add)
3389 (Press Enter or click Add)
8080 (Press Enter or click Add)
8443 (Press Enter or click Add)
Action Reject
Logging Yes (selected)

− Click Commit Changes to System.

− Open a New incognito window (Chrome).

→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.

− In the incognito window click the following bookmarks:

o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.41
o Demos > https://10.1.10.41:8443
o Demos > ftp://10.1.10.41
− From the desktop open putty and connect to 10.1.10.41, and then close putty.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close RDP.
− On the LAMP desktop reload the http://10.1.10.41:8081 page.
− Edit the URL to http://10.1.10.41 and reload the page if it isn’t immediately blocked.

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 5
 Part 2 – Deliver the BIG-IP Customer Demo
− In the Terminal window type Ctrl+C, and then at the prompt repeat the following command.
ssh root@10.1.10.41

With the Windows workstation, on the 10.1.10.0 network, we an access the virtual server using HTTP
and HTTPS only. FTP, SSH, RDP, and ports 8080 and 8443 are rejected. From the LAMP workstation,
on the 10.1.20.0 network, all access the virtual server is rejected.
A Lorax administrator has requested RDP access to the virtual server from his workstation only.
− In the Configuration Utility on the Active Rules page click Add Rule and select Add rule to Virtual Server.
− Use the following information for the new rule, then click Done Editing, and then
click Commit Changes to System.
Name accept_rdp_for_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept
Logging Yes (selected)

− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close the login dialog
box without logging in.
− Open putty and connect to 10.1.10.41, and then close putty.
This specific Windows workstation, 10.1.10.199, now has RDP access to this virtual server, but still
doesn’t have SSH, FTP, or ports 8080 or 8443 access.
− In the Configuration Utility on the Active Rules page examine the order of the rules.
Note how important rule order is here. If this rule had been added below the reject_ports rule, the
administrator would have been rejected before reaching the accept rule.

Demo Task 3 – Create Rules for the External Self IP Address

Use the Active Rules page to create rules for the external self IP address.

− In the Configuration Utility on the Active Rules page, from the Context list select Self IP, and then
select 10.1.10.240.
For the external self IP 10.1.10.240 we want to limit access to HTTPS only, and only from a single
external single host. All other BIG-IP system management should be done from the internal network
using the internal self IP address.
− Click Add Rule and select Add rule to Self IP, then use the following information for the new rule, and
then click Done Editing.
Name accept_external_https_from_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 443 (Press Enter or click Add)
Action Accept
Logging Yes (selected)

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 6
 Part 2 – Deliver the BIG-IP Customer Demo
− Click Add Rule and select Add rule to Self IP, then use the following information for the new rule, and
then click Done Editing.
Name reject_all
Action Reject
Logging Yes (selected)

− Use your mouse to reorder to rules so the reject_all is below accept_external_https_from_admin, and
then click Commit Changes to System.
− In the blocked page edit the URL to https://10.1.10.240, and then close the page.
− Open putty and connect to 10.1.10.240, and then close putty.
We’ve now limited BIG-IP system management access on the external self IP address, allowing only
HTTPS access from a single external source.

Demo Task 4 – View Firewall Logging and Reporting

View the built-in BIG-IP AFM logging and reporting.

− In the Configuration Utility open the Security > Event Logs > Network > Firewall page and resize your
browser to fill you screen.
− To see more of the page, type the Ctrl key with the key.
− Sort the list in descending order by the Time column.

− In the search field replace the * with Reject, and then click Search. (You must remove the * for the filter
to work.)
− Examine the Source > Address and Destination > Port columns.
We can filter the network firewall log by specific criteria to view specific data.
− In the Configuration Utility open the Security >Reporting > Network > Enforced Rules page, and then
examine the Details section.
The default report shows all the network firewall contexts (virtual servers, self IP addresses, in
addition to global and route domain) that were matched in the last hour. We can see how many times
each virtual server processed either an Accept or a Reject rule.

→NOTE: It can take up to five minutes for all the report data to display.

− Change the Chart type to Stacked.

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 7
 Part 2 – Deliver the BIG-IP Customer Demo
− From the View By list select Source IP Addresses (Enforced).

− In the Details section, click 10.1.10.199, then click /Common/lorax_virtual, and then
click <Unassigned>.
This displays how many times this IP address matched each rule.
− Navigate back to Source IP Address (Enforced).

− From the View By list select Rule Contexts (Enforced).

− In the Details section, click /Common/lorax_virtual, and then click <Unassigned>, and then
click reject_ports.
− From the View By list select Destination Ports (Enforced).
This displays all the ports that were rejected by this rule.
− Click Export, and then click Export again.

− Open the downloaded PDF.

At any time, we can export the report data. The export will include the exact current contents
displayed on the reports page.

That concludes this demonstration on using BIG-IP AFM in the default ADC mode, where access to all
virtual servers and self IP address listeners is accepted by default, and we will create reject or drop
rules to block access to specific locations to ports.

AFTER THE DEMO –Reset the VMware Environment

− Click Log out, and then close the Configuration Utility.
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license
reboot

WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 8