F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Mandragor's avatar
Mandragor
Icon for Altostratus rankAltostratus
Jun 28, 2017

Change default firewall policy for new Virtual Servers

I have read   https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-6-0/1.html   concerning default behaviour, but it seems limited to...
AFM
security
Vinaykk_339682's avatar
Vinaykk_339682
Icon for Nimbostratus rankNimbostratus
Apr 27, 2018

So If I want to use Global policies, How can I over come the issue with default policy because in F5: every virtual server has a default policy to drop everything.

 

Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Apr 27, 2018

That is not correct.

 

The system has a default deny design. To pass traffic via the system, you need a listener, that is normally a virtual server. The listener will only handle traffic that matches its configuration. That can be a combination of source/destination/vlan, etc...

 

If you setup a virtual server with source 0.0.0.0/0, destination 10.10.10.0/24, all protocols and vlans. It will handle traffic with a destination in the network 10.10.10.0/24, and anything else will just be dropped by the system (not the virtual server).

 

You can setup a forward virtual server with source 0.0.0.0/0 and destination 0.0.0.0/0, all protocols and vlans. That will basically pass any traffic, and you can then filter in the AFM what you want.