Forum Discussion
Norris_141656
Nimbostratus
NimbostratusBIG-IP LTM - do i need to purchase AFM to make the LTM VE into a decent corporate firewall?
Hi Guys
First post, I'm new to f5 and an SA at my company has proposed using a pair of LTM VEs as the primary firewall in an enterprise network... However, he's been informed that we don't need ...
It's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).
If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;
when CLIENT_ACCEPTED { Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup listing allowed IPs;- dg_myvirtual.com_http set dg_allowed_ip_list "dg_[substr [virtual] 3]" if {[class exists $dg_allowed_ip_list]} { if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} { Datgroup exists and source IP not in allowed list - drop discard return } } }If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.
Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).
IheartF5_45022
Nacreous
NacreousIt's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).
If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;
when CLIENT_ACCEPTED {
Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup
listing allowed IPs;- dg_myvirtual.com_http
set dg_allowed_ip_list "dg_[substr [virtual] 3]"
if {[class exists $dg_allowed_ip_list]} {
if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} {
Datgroup exists and source IP not in allowed list - drop
discard
return
}
}
}
If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.
Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).