Forum Discussion

Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Jan 19, 2014

BIG-IP LTM - do i need to purchase AFM to make the LTM VE into a decent corporate firewall?

Hi Guys   First post, I'm new to f5 and an SA at my company has proposed using a pair of LTM VEs as the primary firewall in an enterprise network... However, he's been informed that we don't need ...
AFM
application delivery
firewall
LTM
routing
rules
security
  • IheartF5_45022's avatar
    IheartF5_45022
    Jan 21, 2014

    It's mainly about management (although I believe that AFM moves some of the ACL functions into TMM core which is more efficient than doing it in an iRule, however unless you are running a very low-end device this may not be a consideration).

    If you had a very simple setup with no forwarding virtual servers you could get away with a simple iRule attached to each virtual to which you wanted to control access;

    when CLIENT_ACCEPTED {
 Naming standard for virtuals is vs_myvirtual.com_http - for matching address datagroup 
 listing allowed IPs;- dg_myvirtual.com_http
set dg_allowed_ip_list "dg_[substr [virtual] 3]"
if {[class exists $dg_allowed_ip_list]} {       
    if {![class match [IP::remote_addr] equals $dg_allowed_ip_list]} { 
         Datgroup exists and source IP not in allowed list - drop
        discard
        return
    } 
}
}

    If however you need forwarding virtual servers to have iRules mimicking your checkpoint (with 5-tuple policies), have a read of this http://www.f5.com/pdf/deployment-guides/data-center-firewall-dg.pdf. It contains a datacentre firewall iRule which is designed to be deployed via iApp but can easily be manually deployed. Read it and decide if you would be happy converting your Checkpoint policy into the datagroups described.

    Just a personal note - if you were converting an internet-facing datacentre firewall policy onto an F5 I would have no hesitation in using the iRule in the doc above. However with an enterprise firewall - I would be thinking seriously about using AFM. It all depends on the complexity of your rules, your budget, and your appetite for supporting firewall polices in text-based datagroups (as opposed to the GUI interface the AFM will give you).

Norris_141656's avatar
Norris_141656
Icon for Nimbostratus rankNimbostratus
Jan 21, 2014

Hi Guys

 

Thanks for the responses. My skills are mainly in Networking, especially Cisco (Recently completed CCNP) and Juniper, but also in Microsoft and VMware. I have administered Juniper and Cisco firewalls for the last 5 years or so.

 

I have little to no experience with F5, tmsh, Tcl or Linux, so it will certainly be a challenge, but it is one I am looking forward to. Having seen what F5 is about and some of the things it can do, I am very excited about working with it and definately want to incorporate it into the solution.

 

Unfortunately, I dont think we can include the AFM due to budget constraints, so I'll have to learn how to administer iRules pretty quickly.

 

IheartF5, that link is fantastic and is pretty much exactly what I am looking for traffic coming into the Enterprise from the Internet.

 

If you dont mind I have a couple of additional questions surrounding traffic in the other directions - From inside of the Enterprise out to the Web.

 

  • Does the LTM have any ALG-like functionality for protocols like SIP and FTP?
  • Say I wanted to allow a certain group of internal computers access outbound to any server over HTTP, HTTPs and FTP, with a dynamic source NAT of the F5s outside interface IP address, is that sort of thing easy to set up and configure?

Many Thanks for all of the replies and tips so far.

 

Related Content