Forum Discussion
dragonflymr
Cirrostratus
CirrostratusAFM and asymmetric routing
Hi,
I am looking for possible solution for this kind of scenario. I was checking available docs and can't find any real solution that could work and be manageable using AFM.
- Two DC - DC1, DC2
- In each one AFM cluster - AFM1, AFM2
- Connection is entering DC1 via AFM1
- Returning traffic is leaving via DC2 and AFM2
Let's say it's kind of nPath configuration. I can work out solution that might be working on the network side - like VS with FastL4 and Loose close set on AFM1 (external) and another VS on AFM2 with FastL4 and both Loose initiation and Loose close set (internal) but looking at security side it seems to be nightmare.
So maybe I am wrong with above, or maybe there is some other way that can be implemented that will assure high security and asymmetric routing?
Piotr
15 Replies
nitass_89166Noctilucent
what version are you using?
there is change in behavior in 11.5.1 hf4 and 11.6.0. ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows.
now, afm checks packet according to loose-initiation setting.
version root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version | grep -A 6 Main Main Package Product BIG-IP Version 11.6.0 Build 4.0.420 Edition Hotfix HF4 Date Mon Feb 16 02:21:25 PST 2015 loose-initialization is not enabled (default) root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd ltm virtual fwd { destination 0.0.0.0:0 fw-enforced-policy mypolicy mask any profiles { fastL4 { } } security-log-profiles { mylog } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 2 } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy security firewall policy mypolicy { rules { catchall { action accept log yes } } } client [root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3 HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes --- 200.200.200.101 hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms trace [root@ve11d:Active:Changes Pending] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:20:47.455508 IP 100.100.100.1.1654 > 200.200.200.101.80: . ack 226388079 win 512 in slot1/tmm0 lis= 04:20:48.456955 IP 100.100.100.1.1655 > 200.200.200.101.80: . ack 399103005 win 512 in slot1/tmm1 lis= 04:20:49.458900 IP 100.100.100.1.1656 > 200.200.200.101.80: . ack 2097896011 win 512 in slot1/tmm0 lis= /var/log/ltm [root@ve11d:Active:Changes Pending] config tail -f /var/log/ltm Jun 12 04:20:43 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:36273 Jun 12 04:20:43 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:36273 Jun 12 04:20:55 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:36273 Jun 12 04:20:55 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:36273 loose-initialization is enabled root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd ltm virtual fwd { destination 0.0.0.0:0 fw-enforced-policy mypolicy mask any profiles { fastL4_stateless { } } security-log-profiles { mylog } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 2 } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastL4_stateless ltm profile fastl4 fastL4_stateless { app-service none loose-close enabled loose-initialization enabled } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy security firewall policy mypolicy { rules { catchall { action accept log yes } } } client [root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3 HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=0 win=0 rtt=10.6 ms len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=1 win=0 rtt=2.0 ms len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=2 win=0 rtt=3.1 ms --- 200.200.200.101 hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 2.0/5.2/10.6 ms trace [root@ve11d:Active:Changes Pending] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:33:55.703826 IP 100.100.100.1.2414 > 200.200.200.101.80: . ack 190418598 win 512 in slot1/tmm0 lis= 04:33:55.705975 IP 200.200.200.222.2414 > 200.200.200.101.80: . ack 190418598 win 512 out slot1/tmm0 lis=/Common/fwd 04:33:55.710461 IP 200.200.200.101.80 > 200.200.200.222.2414: R 190418598:190418598(0) win 0 in slot1/tmm0 lis=/Common/fwd 04:33:55.710501 IP 200.200.200.101.80 > 100.100.100.1.2414: R 190418598:190418598(0) win 0 out slot1/tmm0 lis=/Common/fwd 04:33:56.702916 IP 100.100.100.1.2415 > 200.200.200.101.80: . ack 1485547836 win 512 in slot1/tmm1 lis= 04:33:56.703186 IP 200.200.200.222.2415 > 200.200.200.101.80: . ack 1485547836 win 512 out slot1/tmm1 lis=/Common/fwd 04:33:56.704113 IP 200.200.200.101.80 > 200.200.200.222.2415: R 1485547836:1485547836(0) win 0 in slot1/tmm1 lis=/Common/fwd 04:33:56.704125 IP 200.200.200.101.80 > 100.100.100.1.2415: R 1485547836:1485547836(0) win 0 out slot1/tmm1 lis=/Common/fwd 04:33:57.705045 IP 100.100.100.1.2416 > 200.200.200.101.80: . ack 436813289 win 512 in slot1/tmm0 lis= 04:33:57.705231 IP 200.200.200.222.2416 > 200.200.200.101.80: . ack 436813289 win 512 out slot1/tmm0 lis=/Common/fwd 04:33:57.706718 IP 200.200.200.101.80 > 200.200.200.222.2416: R 436813289:436813289(0) win 0 in slot1/tmm0 lis=/Common/fwd 04:33:57.706729 IP 200.200.200.101.80 > 100.100.100.1.2416: R 436813289:436813289(0) win 0 out slot1/tmm0 lis=/Common/fwd /var/log/ltm [root@ve11d:Active:Changes Pending] config tail -f /var/log/ltm Jun 12 04:33:49 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:57409 Jun 12 04:33:49 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:57409 Jun 12 04:33:55 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2414","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2414","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cc","unknown" Jun 12 04:33:56 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2415","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2415","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00010000000000cc","unknown" Jun 12 04:33:57 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2416","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2416","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cd","unknown" Jun 12 04:34:05 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:57409 Jun 12 04:34:05 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:57409
dragonflymrHi, It will be new installation so newest version 11.6.0HF4 or later (if available at deployment time). First of all thanks for answer, second sorry but I am not yet so fluent in reading CLI part. I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right? So on AFM1 wildcard with stateless FastL4 and second on AFM2? Is it not kind of security hole? As far as I understand both AFM clusters will not be aware that session outgoing from LAN is indeed legitimate because it's part of session that entered LAN via another AFM. So what then about matching logs as part of the session will be logged on one AFM and part on another? Will it not be kind of nightmare for admin? Then instead of one VS handling both incoming and outgoing traffic two will be necessary: On for incoming traffic on AFM1 group second for outgoing on AFM2 group - and vice versa. Or maybe you set both Loose initiation and close to use same wildcard for handling incoming traffic on AFM1 and outgoing traffic on AFM2 - so this vs is processing incoming traffic to LAN and traffic that came via AFM2 and is going back via AFM1? Still is that not creating security issues and complicates management and attack detection? Piotr
- nitass
Employee
what version are you using?
there is change in behavior in 11.5.1 hf4 and 11.6.0. ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows.
now, afm checks packet according to loose-initiation setting.
version root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version | grep -A 6 Main Main Package Product BIG-IP Version 11.6.0 Build 4.0.420 Edition Hotfix HF4 Date Mon Feb 16 02:21:25 PST 2015 loose-initialization is not enabled (default) root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd ltm virtual fwd { destination 0.0.0.0:0 fw-enforced-policy mypolicy mask any profiles { fastL4 { } } security-log-profiles { mylog } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 2 } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy security firewall policy mypolicy { rules { catchall { action accept log yes } } } client [root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3 HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes --- 200.200.200.101 hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms trace [root@ve11d:Active:Changes Pending] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:20:47.455508 IP 100.100.100.1.1654 > 200.200.200.101.80: . ack 226388079 win 512 in slot1/tmm0 lis= 04:20:48.456955 IP 100.100.100.1.1655 > 200.200.200.101.80: . ack 399103005 win 512 in slot1/tmm1 lis= 04:20:49.458900 IP 100.100.100.1.1656 > 200.200.200.101.80: . ack 2097896011 win 512 in slot1/tmm0 lis= /var/log/ltm [root@ve11d:Active:Changes Pending] config tail -f /var/log/ltm Jun 12 04:20:43 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:36273 Jun 12 04:20:43 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:36273 Jun 12 04:20:55 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:36273 Jun 12 04:20:55 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:36273 loose-initialization is enabled root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual fwd ltm virtual fwd { destination 0.0.0.0:0 fw-enforced-policy mypolicy mask any profiles { fastL4_stateless { } } security-log-profiles { mylog } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vs-index 2 } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile fastl4 fastL4_stateless ltm profile fastl4 fastL4_stateless { app-service none loose-close enabled loose-initialization enabled } root@(ve11d)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list security firewall policy mypolicy security firewall policy mypolicy { rules { catchall { action accept log yes } } } client [root@client1 ~] hping 200.200.200.101 -p 80 -A -c 3 HPING 200.200.200.101 (eth1 200.200.200.101): A set, 40 headers + 0 data bytes len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=0 win=0 rtt=10.6 ms len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=1 win=0 rtt=2.0 ms len=46 ip=200.200.200.101 ttl=63 DF id=0 sport=80 flags=R seq=2 win=0 rtt=3.1 ms --- 200.200.200.101 hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 2.0/5.2/10.6 ms trace [root@ve11d:Active:Changes Pending] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:33:55.703826 IP 100.100.100.1.2414 > 200.200.200.101.80: . ack 190418598 win 512 in slot1/tmm0 lis= 04:33:55.705975 IP 200.200.200.222.2414 > 200.200.200.101.80: . ack 190418598 win 512 out slot1/tmm0 lis=/Common/fwd 04:33:55.710461 IP 200.200.200.101.80 > 200.200.200.222.2414: R 190418598:190418598(0) win 0 in slot1/tmm0 lis=/Common/fwd 04:33:55.710501 IP 200.200.200.101.80 > 100.100.100.1.2414: R 190418598:190418598(0) win 0 out slot1/tmm0 lis=/Common/fwd 04:33:56.702916 IP 100.100.100.1.2415 > 200.200.200.101.80: . ack 1485547836 win 512 in slot1/tmm1 lis= 04:33:56.703186 IP 200.200.200.222.2415 > 200.200.200.101.80: . ack 1485547836 win 512 out slot1/tmm1 lis=/Common/fwd 04:33:56.704113 IP 200.200.200.101.80 > 200.200.200.222.2415: R 1485547836:1485547836(0) win 0 in slot1/tmm1 lis=/Common/fwd 04:33:56.704125 IP 200.200.200.101.80 > 100.100.100.1.2415: R 1485547836:1485547836(0) win 0 out slot1/tmm1 lis=/Common/fwd 04:33:57.705045 IP 100.100.100.1.2416 > 200.200.200.101.80: . ack 436813289 win 512 in slot1/tmm0 lis= 04:33:57.705231 IP 200.200.200.222.2416 > 200.200.200.101.80: . ack 436813289 win 512 out slot1/tmm0 lis=/Common/fwd 04:33:57.706718 IP 200.200.200.101.80 > 200.200.200.222.2416: R 436813289:436813289(0) win 0 in slot1/tmm0 lis=/Common/fwd 04:33:57.706729 IP 200.200.200.101.80 > 100.100.100.1.2416: R 436813289:436813289(0) win 0 out slot1/tmm0 lis=/Common/fwd /var/log/ltm [root@ve11d:Active:Changes Pending] config tail -f /var/log/ltm Jun 12 04:33:49 ve11d notice tmm[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:57409 Jun 12 04:33:49 ve11d notice tmm1[16284]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:57409 Jun 12 04:33:55 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2414","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2414","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cc","unknown" Jun 12 04:33:56 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2415","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2415","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00010000000000cc","unknown" Jun 12 04:33:57 ve11d.acme.local info tmm[16284]: 23003137 "172.28.24.225","ve11d.acme.local","Virtual Server","/Common/fwd","No-lookup","100.100.100.1","No-lookup","200.200.200.101","2416","80","/Common/v1149","TCP","0","200.200.200.222","200.200.200.101","2416","80","/Common/v423","TCP","0","Enforced","/Common/mypolicy","catchall","Accept","","Automap","","00000000000000cd","unknown" Jun 12 04:34:05 ve11d notice tmm[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:57409 Jun 12 04:34:05 ve11d notice tmm1[16284]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:57409- dragonflymrHi, It will be new installation so newest version 11.6.0HF4 or later (if available at deployment time). First of all thanks for answer, second sorry but I am not yet so fluent in reading CLI part. I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right? So on AFM1 wildcard with stateless FastL4 and second on AFM2? Is it not kind of security hole? As far as I understand both AFM clusters will not be aware that session outgoing from LAN is indeed legitimate because it's part of session that entered LAN via another AFM. So what then about matching logs as part of the session will be logged on one AFM and part on another? Will it not be kind of nightmare for admin? Then instead of one VS handling both incoming and outgoing traffic two will be necessary: On for incoming traffic on AFM1 group second for outgoing on AFM2 group - and vice versa. Or maybe you set both Loose initiation and close to use same wildcard for handling incoming traffic on AFM1 and outgoing traffic on AFM2 - so this vs is processing incoming traffic to LAN and traffic that came via AFM2 and is going back via AFM1? Still is that not creating security issues and complicates management and attack detection? Piotr
- dragonflymr
BTW, is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows? I tried both ID461582 search and AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows and no docs with explicit material showed up.
Piotr
- nitass
I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right?
yes
Is it not kind of security hole?
yes, you can say that.
is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows?
i do not see it.
- dragonflymrThanks, that can save the project I am working on, at least there is some hope :-) Regarding this ID461582 - is that some internal F5 secret knowledge or I can try to create ticket to find out? Piotr
- nitass>is that some internal F5 secret knowledge or I can try to create ticket to find out? i do not think it is secret knowledge. ID is used to track a know issue, behavior change or improvement. if behavior is not clear to you, you are free to open a support case to check.
- dragonflymrI probably will as this is very importnat aspect of the project. Anyway I found something like that in 11.6.0 Release notes: 461582AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them. Is that the same subject but expressed using different sentence? Piotr
- nitass_89166
I assume that what you posted proves that asymmetrical routing could be used and it will work - Am I right?
yes
Is it not kind of security hole?
yes, you can say that.
is there any documentation I can read about ID461582 [Network Firewall] AFM behavioral change for ACL rule match and/or IP intelligence lookup for TCP flows?
i do not see it.
- dragonflymrThanks, that can save the project I am working on, at least there is some hope :-) Regarding this ID461582 - is that some internal F5 secret knowledge or I can try to create ticket to find out? Piotr
- nitass_89166>is that some internal F5 secret knowledge or I can try to create ticket to find out? i do not think it is secret knowledge. ID is used to track a know issue, behavior change or improvement. if behavior is not clear to you, you are free to open a support case to check.
- dragonflymrI probably will as this is very importnat aspect of the project. Anyway I found something like that in 11.6.0 Release notes: 461582AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them. Is that the same subject but expressed using different sentence? Piotr
