Forum Discussion
AFM Firewall and NAT policies - how to implement
Hi,
I need to implement policies for few hundreds src IP, dst IP SNAT and NAT combinations. Something like that, all related to 13.1.0.1:
For given dst IP:
- Allow traffic from given set of IPs
- For given set of dst ports change dst IP (sometimes as well as port) to given IP
For given dst IP there could be dozens of such rules.
I am looking for real life advice which way would be better - maybe because of aspects I am not aware off, like easier troubleshooting, easier log checking anything else.
Right now I can see two ways to implement:
-
One wildcard IP and port VS
- One FW policy containing all source/destination definitions
- One NAT policy containing all destination port/destination IP and port definitions
-
One VS per each destination IP (so FW rules do not need to check destination IP only source IP)
- One FW policy containing all source/destination definitions related to this dst IP
- One NAT policy containing all destination port/destination IP and port definitions
In first case I will have single policies with hundreds of rules (or rule lists in case of FW policy) - seems harder to figure out what is in fact configured (sure filtering can be used)
In second case it is easier to figure out what was set for given destination IP
I am a bit lost here what would be better for real life management, maintenance and troubleshooting.
What is complicating things even more some configuration has to be repeated for both FW and NAT policy.
For example (at least in my test) NAT policy has to have Destination IP configured (same one as in Firewall policy). I can understand the reason for that but it makes space for mistakes, for example different dst IP in FW policy that in matching NAT policy.
I hoped it could be resolved by applying NAT policy to VS - so it automatically pick up VIP and will use it as destination, but it seems not be a case.
Any advice highly appreciated.
Piotr
- dragonflymrCirrostratus
Maybe example will help.
Let's say we have two dst IP:
- 192.168.177.20
- 192.168.177.21
Rules necessary to be implemented:
- Traffic to 192.168.177.20:80; SNAT Dynamic PAT 192.168.173.10:any; Static NAT 192.168.173.50:80
- Traffic to 192.168.177.20:88, 1234, 1300-1370, 5698; SNAT Dynamic PAT 192.168.173.11:any; Static NAT 192.168.173.51:same ports
- Traffic to 192.168.177.20:168; SNAT Dynamic PAT 192.168.173.10:any; Static PAT 192.168.173.51:3168
- Traffic to 192.168.177.21:80 allowed only from 192.168.100.1, .10-23, 192.168.101.20; SNAT Dynamic PAT 192.168.173.10:any; Static NAT 192.168.173.60:80 and so on
Piotr
- Peter_Mills_697Historic F5 Account
AFM NAT(CGNAT) is applied after AFM Firewall rules because it is pointless spending time processing traffic which will be dropped anyway. It seems popular to use a wildcard Virtual Server and attach an AFM policy to it containing a long set of AFM rules.
- dragonflymrCirrostratus
Hi,
Thanks for answer. Probably you are right, but it some cases wildcard approach do not work, especially when rules are attached to non wildcard VS.
Piotr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com