Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Feb 16, 2018

AFM Firewall and NAT policies - how to implement

Hi,

 

I need to implement policies for few hundreds src IP, dst IP SNAT and NAT combinations. Something like that, all related to 13.1.0.1:

 

For given dst IP:

 

  • Allow traffic from given set of IPs
  • For given set of dst ports change dst IP (sometimes as well as port) to given IP

For given dst IP there could be dozens of such rules.

 

I am looking for real life advice which way would be better - maybe because of aspects I am not aware off, like easier troubleshooting, easier log checking anything else.

 

Right now I can see two ways to implement:

 

  • One wildcard IP and port VS
    • One FW policy containing all source/destination definitions
    • One NAT policy containing all destination port/destination IP and port definitions
  • One VS per each destination IP (so FW rules do not need to check destination IP only source IP)
    • One FW policy containing all source/destination definitions related to this dst IP
    • One NAT policy containing all destination port/destination IP and port definitions

In first case I will have single policies with hundreds of rules (or rule lists in case of FW policy) - seems harder to figure out what is in fact configured (sure filtering can be used)

 

In second case it is easier to figure out what was set for given destination IP

 

I am a bit lost here what would be better for real life management, maintenance and troubleshooting.

 

What is complicating things even more some configuration has to be repeated for both FW and NAT policy.

 

For example (at least in my test) NAT policy has to have Destination IP configured (same one as in Firewall policy). I can understand the reason for that but it makes space for mistakes, for example different dst IP in FW policy that in matching NAT policy.

 

I hoped it could be resolved by applying NAT policy to VS - so it automatically pick up VIP and will use it as destination, but it seems not be a case.

 

Any advice highly appreciated.

 

Piotr

 

  • Peter_Mills_697's avatar
    Peter_Mills_697
    Historic F5 Account

    AFM NAT(CGNAT) is applied after AFM Firewall rules because it is pointless spending time processing traffic which will be dropped anyway. It seems popular to use a wildcard Virtual Server and attach an AFM policy to it containing a long set of AFM rules.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus

      Hi,

       

      Thanks for answer. Probably you are right, but it some cases wildcard approach do not work, especially when rules are attached to non wildcard VS.

       

      Piotr

       

  • Maybe example will help.

     

    Let's say we have two dst IP:

     

    • 192.168.177.20
    • 192.168.177.21

    Rules necessary to be implemented:

     

    • Traffic to 192.168.177.20:80; SNAT Dynamic PAT 192.168.173.10:any; Static NAT 192.168.173.50:80
    • Traffic to 192.168.177.20:88, 1234, 1300-1370, 5698; SNAT Dynamic PAT 192.168.173.11:any; Static NAT 192.168.173.51:same ports
    • Traffic to 192.168.177.20:168; SNAT Dynamic PAT 192.168.173.10:any; Static PAT 192.168.173.51:3168
    • Traffic to 192.168.177.21:80 allowed only from 192.168.100.1, .10-23, 192.168.101.20; SNAT Dynamic PAT 192.168.173.10:any; Static NAT 192.168.173.60:80 and so on

    Piotr