Professional Documents
Culture Documents
F5 Customer Demo: Big-Ip Afm - Use Afm in Adc Mode
F5 Customer Demo: Big-Ip Afm - Use Afm in Adc Mode
F5 Customer Demo: Big-Ip Afm - Use Afm in Adc Mode
The purpose of this demo is to show how to use BIG-IP AFM in its default ADC mode, where requests for all
virtual servers and self IP address is accepted. In this demo you will:
1. Show how the BIG-IP AFM ADC mode allows access to all virtual servers and self IP addresses from
both external and internal users.
2. Create rules for a virtual server to reject requests from specific locations and for specific ports.
3. Create rules for the external self IP address to only accept request on HTTPS from a single source.
4. Show the built-in BIG-IP AFM logging and reports.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Prepare the BIG-IP Demo Environment
Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 1
Part 1 – Prepare the BIG-IP Demo Environment
→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).
− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal
− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy lorax_policy, and then click Repeat.
− Create another policy named selfIP_10.1.10.240_policy.
− In putty copy and paste the following lines together:
tmsh modify net self 10.1.10.240 fw-enforced-policy selfIP_10.1.10.240_policy allow-service add { tcp:22 }
tmsh create security log profile logging_profile { network add { logging_profile { filter { log-acl-match-accept enabled log-acl-match-drop
enabled log-acl-match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled }
format { field-list { action date_time dest_ip dest_port drop_reason protocol src_ip src_port } type field-list } publisher local-db-publisher
} } }
tmsh create ltm pool lorax_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm virtual lorax_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy lorax_policy pool lorax_pool security-log-profiles add {
logging_profile }
tmsh save sys ucs demo_afm_adc_mode_v14.1.ucs
exit
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 2
Part 2 – Deliver the BIG-IP Customer Demo
→NOTE: If you do not have the demo_afm_adc_mode_v14.1.ucs archive file, complete part 1 of this document.
− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 3
Part 2 – Deliver the BIG-IP Customer Demo
− Open putty and connect to 10.1.10.240, and then close putty without logging in.
From the Windows workstation, on the external network, we can use the external self IP addresses to
access and manage the BIG-IP system using both HTTPS and SSH.
− On the LAMP desktop use Firefox to access http://10.1.10.41.
− Edit the URL to https://10.1.10.41:8080.
− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.41
From the LAMP workstation, on the internal network, we can also access lorax_virtual using all
services.
− In the Configuration Utility open the Security > Options > Network Firewall page, and then examine
the Default Firewall Action settings.
These are the default settings when you provision BIG-IP AFM. Whenever a request comes in for a
virtual server or a self IP address, BIG-IP AFM will accept the request. This is also referred to as
running BIG-IP AFM in “ADC mode”. In ADC mode we don’t need to create accept firewall rules for
virtual servers or self IP addresses because access is granted by default, however we may want to
limit access by source location or by destination port.
− In the Configuration Utility open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the virtual server and self IP address contexts.
− From the Context list select Virtual Server, and then select lorax_virtual.
For lorax_virtual we want to reject requests from specific locations, and we also want to reject
requests for specific ports.
− Click Add Rule, and then select Add rule to Virtual Server.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 4
Part 2 – Deliver the BIG-IP Customer Demo
− Use the following information for the new rule, and then click Done Editing.
Name reject_specific_locations
Source 10.1.20.0/24 (Press Enter or click Add), Syrian Arab Republic
Korea, Democratic People’s Republic of
Action Reject
Logging Yes (selected)
→NOTE: In this example we’re using 10.1.20.0/24 to represent a location we’ve identified as a
source of multiple malicious requests.
− Click Add Rule and select Add rule to Virtual Server, then use the following information for the new rule,
and then click Done Editing.
Name reject_ports
Protocol TCP
Destination 21 (Press Enter or click Add)
22 (Press Enter or click Add)
3389 (Press Enter or click Add)
8080 (Press Enter or click Add)
8443 (Press Enter or click Add)
Action Reject
Logging Yes (selected)
→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 5
Part 2 – Deliver the BIG-IP Customer Demo
− In the Terminal window type Ctrl+C, and then at the prompt repeat the following command.
ssh root@10.1.10.41
With the Windows workstation, on the 10.1.10.0 network, we an access the virtual server using HTTP
and HTTPS only. FTP, SSH, RDP, and ports 8080 and 8443 are rejected. From the LAMP workstation,
on the 10.1.20.0 network, all access the virtual server is rejected.
A Lorax administrator has requested RDP access to the virtual server from his workstation only.
− In the Configuration Utility on the Active Rules page click Add Rule and select Add rule to Virtual Server.
− Use the following information for the new rule, then click Done Editing, and then
click Commit Changes to System.
Name accept_rdp_for_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept
Logging Yes (selected)
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close the login dialog
box without logging in.
− Open putty and connect to 10.1.10.41, and then close putty.
This specific Windows workstation, 10.1.10.199, now has RDP access to this virtual server, but still
doesn’t have SSH, FTP, or ports 8080 or 8443 access.
− In the Configuration Utility on the Active Rules page examine the order of the rules.
Note how important rule order is here. If this rule had been added below the reject_ports rule, the
administrator would have been rejected before reaching the accept rule.
− In the Configuration Utility on the Active Rules page, from the Context list select Self IP, and then
select 10.1.10.240.
For the external self IP 10.1.10.240 we want to limit access to HTTPS only, and only from a single
external single host. All other BIG-IP system management should be done from the internal network
using the internal self IP address.
− Click Add Rule and select Add rule to Self IP, then use the following information for the new rule, and
then click Done Editing.
Name accept_external_https_from_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 443 (Press Enter or click Add)
Action Accept
Logging Yes (selected)
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 6
Part 2 – Deliver the BIG-IP Customer Demo
− Click Add Rule and select Add rule to Self IP, then use the following information for the new rule, and
then click Done Editing.
Name reject_all
Action Reject
Logging Yes (selected)
− Use your mouse to reorder to rules so the reject_all is below accept_external_https_from_admin, and
then click Commit Changes to System.
− In the blocked page edit the URL to https://10.1.10.240, and then close the page.
− Open putty and connect to 10.1.10.240, and then close putty.
We’ve now limited BIG-IP system management access on the external self IP address, allowing only
HTTPS access from a single external source.
− In the Configuration Utility open the Security > Event Logs > Network > Firewall page and resize your
browser to fill you screen.
− To see more of the page, type the Ctrl key with the key.
− Sort the list in descending order by the Time column.
− In the search field replace the * with Reject, and then click Search. (You must remove the * for the filter
to work.)
− Examine the Source > Address and Destination > Port columns.
We can filter the network firewall log by specific criteria to view specific data.
− In the Configuration Utility open the Security >Reporting > Network > Enforced Rules page, and then
examine the Details section.
The default report shows all the network firewall contexts (virtual servers, self IP addresses, in
addition to global and route domain) that were matched in the last hour. We can see how many times
each virtual server processed either an Accept or a Reject rule.
→NOTE: It can take up to five minutes for all the report data to display.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 7
Part 2 – Deliver the BIG-IP Customer Demo
− From the View By list select Source IP Addresses (Enforced).
− In the Details section, click 10.1.10.199, then click /Common/lorax_virtual, and then
click <Unassigned>.
This displays how many times this IP address matched each rule.
− Navigate back to Source IP Address (Enforced).
That concludes this demonstration on using BIG-IP AFM in the default ADC mode, where access to all
virtual servers and self IP address listeners is accepted by default, and we will create reject or drop
rules to block access to specific locations to ports.
WWFE Lab Guides –BIG-IP AFM 02 Demo – Use AFM in ADC Mode; v14.1.A Page | 8