Forum Discussion

Biche_XD_185704's avatar
Biche_XD_185704
Icon for Nimbostratus rankNimbostratus
Nov 13, 2017

[APM] ACL Interest

Hi, I'm integrating VPNSSL F5 by using APM since many week.

Our users population are susceptible to use the following elements :

  • Portal Access
  • RDP Access
  • Network Access

My questions are about Network Access. Today, I use Network Access to allocate the same IP address inside and outside the entreprise (F5 has in interface in all my entreprise LAN).

After that I have as many Forwading VS than Entreprise LAN. On each forwarding IP I've I this irule :

when CLIENT_ACCEPTED {
  if {
    [IP::addr [IP::client_addr] equals 192.168.160.0/255.255.254.0] } {
    node 192.168.160.1
    } else {
      log local0. "[IP::client_addr] access problem"
      reject
    }
}

This Irule send to gateway 192.168.160.1 if the Network Access IP is in 192.168.160.0/23 range.

This system works perfectly but i've questions about that :

I've have an ACL that looks like this :

  • Src : 192.168.160.0/23
  • Destination : 0.0.0.0
  • Port : Any
  • Allow

My firewall are here to do filtering, not APM.

Since this morning I realized that if I remove this ACL, nothing change, all works perfectly too.

My F5 is not supposed to filter if there is no ACL ? In this case, what is intereset off ACL (only portal mode) ?

Thanks a lot for yours answers

  • If no ACL is assigned to a APM session, nothing is blocked.

     

    The main goal of ACL is to manage authorization based on user session (group membership, partners not allowed to some networks, ...)

     

    Network firewall will manage filter based on IP, APM will manage filter based on multiple criteria. that's why the product is called Access Policy Manager :-)

     

    ACL can be used for L4 (with Network Access) and / or for L7 (portal access, remote desktop, App Tunnel).

     

    If a L4 ACL matches a L7 request because L4 ACL is above Portal Access ACL with SSO, action of L4 will be applied without SSO.

     

    when working with portal access, all requests are initiated with APM IP. the firewall won't be able to filter which user is allowed to access resources.

     

    If you don't put a default drop ACL with the higher number, a user connected to a portal access will be allowed to browse all internal resources by APM. if the APM have a default drop ACL, it will display a blocking page, if this is done by the firewall, the request will be dropped without blocking page.