Forum Discussion

Mandragor's avatar
Mandragor
Icon for Altostratus rankAltostratus
Jun 28, 2017

Change default firewall policy for new Virtual Servers

I have read   https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-6-0/1.html   concerning default behaviour, but it seems limited to...
AFM
security
Vinaykk_339682's avatar
Vinaykk_339682
Icon for Nimbostratus rankNimbostratus
Apr 27, 2018

So If I want to use Global policies, How can I over come the issue with default policy because in F5: every virtual server has a default policy to drop everything.

 

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Apr 27, 2018

    That is not correct.

     

    The system has a default deny design. To pass traffic via the system, you need a listener, that is normally a virtual server. The listener will only handle traffic that matches its configuration. That can be a combination of source/destination/vlan, etc...

     

    If you setup a virtual server with source 0.0.0.0/0, destination 10.10.10.0/24, all protocols and vlans. It will handle traffic with a destination in the network 10.10.10.0/24, and anything else will just be dropped by the system (not the virtual server).

     

    You can setup a forward virtual server with source 0.0.0.0/0 and destination 0.0.0.0/0, all protocols and vlans. That will basically pass any traffic, and you can then filter in the AFM what you want.