Forum Discussion

Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Jan 19, 2014

BIG-IP LTM - do i need to purchase AFM to make the LTM VE into a decent corporate firewall?

Hi Guys

 

First post, I'm new to f5 and an SA at my company has proposed using a pair of LTM VEs as the primary firewall in an enterprise network... However, he's been informed that we don't need to purchase the AFM features and can do this with the normal LTM license and the ARM for OSPF.

 

I need to implement the design and migrate the config (policies, NATs, routing etc) from a Checkpoint to the BIG-IP LTM... Reckon I need the AFM or is it possible without? I'm currently doing the essentials training and have purchased a book on iRules...

 

Many Thanks

 

  • It's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).

    If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;

    when CLIENT_ACCEPTED {
     Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup 
     listing allowed IPs;- dg_myvirtual.com_http
    set dg_allowed_ip_list "dg_[substr [virtual] 3]"
    if {[class exists $dg_allowed_ip_list]} {       
        if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} { 
             Datgroup exists and source IP not in allowed list - drop
            discard
            return
        } 
    }
    }
    

    If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.

    Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).

5 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Mmm... I'd say 'Depends', but it's not going to be like your checkpoint management, even with AFM..

     

    The BigIP is a firewall OOTB. But it's the management side of things that will get you. Especially if you're migrating a large policy. The migration will be possibly tedious, but on-going management and maintenance will be a test of the admin skills available

     

    Sounds like fun though. I'd probably look to this as an opportunity to standardise as much as possible. You can write scripts (Either direct in tmsh or via perl/whatever to add them via tmsh or iControl) to drop the required rules into the bigip configs as well...

     

    Definitely the drag and drop features of checkpoint management are not going to be there though...

     

    H

     

  • It's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).

    If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;

    when CLIENT_ACCEPTED {
     Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup 
     listing allowed IPs;- dg_myvirtual.com_http
    set dg_allowed_ip_list "dg_[substr [virtual] 3]"
    if {[class exists $dg_allowed_ip_list]} {       
        if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} { 
             Datgroup exists and source IP not in allowed list - drop
            discard
            return
        } 
    }
    }
    

    If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.

    Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).

  • Hi Guys

     

    Thanks for the responses. My skills are mainly in Networking, especially Cisco (Recently completed CCNP) and Juniper, but also in Microsoft and VMware. I have administered Juniper and Cisco firewalls for the last 5 years or so.

     

    I have little to no experience with F5, tmsh, Tcl or Linux, so it will certainly be a challenge, but it is one I am looking forward to. Having seen what F5 is about and some of the things it can do, I am very excited about working with it and definately want to incorporate it into the solution.

     

    Unfortunately, I dont think we can include the AFM due to budget constraints, so I'll have to learn how to administer iRules pretty quickly.

     

    IheartF5, that link is fantastic and is pretty much exactly what I am looking for traffic coming into the Enterprise from the Internet.

     

    If you dont mind I have a couple of additional questions surrounding traffic in the other directions - From inside of the Enterprise out to the Web.

     

    • Does the LTM have any ALG-like functionality for protocols like SIP and FTP?
    • Say I wanted to allow a certain group of internal computers access outbound to any server over HTTP, HTTPs and FTP, with a dynamic source NAT of the F5s outside interface IP address, is that sort of thing easy to set up and configure?

    Many Thanks for all of the replies and tips so far.

     

  • ◾Does the LTM have any ALG-like functionality for protocols like SIP and FTP?

     

    FTP - Yes - http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_ftp_passive.html

     

    SIP - Yes - http://www.f5.com/pdf/deployment-guides/load-balancing-sip-dg.pdf

     

    ◾Say I wanted to allow a certain group of internal computers access outbound to any server over HTTP, HTTPs and FTP, with a dynamic source NAT of the F5s outside interface IP address, is that sort of thing easy to set up and configure?

     

    Yes just use "SNAT automap" setting http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementations_guide_10_1/sol_ftp_passive.html.