Import Cisco ACL(2000+ rows) from Cisco ACE to F5

https://devcentral.f5.com/s/feed/0D51T00006i7d0nSAA

Hi Y,

this is interesting approach. But lab license is not a option I think. It is a serious enterprise client and I do not it is appropriate. However I will have discussion about this because it sounds as option. Or at least test with AFM from F5 for 1 month.

Thank you!!

Yes, in fact Packet Filters was my first thought but when I tested with a small amount of rules I gave up. It is difficult and hard to manage.

Hi K,

You can asked an AFM add-on to F5 for 1 month to test this functionnality on your environnment. Or Buy an lab license just 100$ that contains all modules...

Regards,

Without AFM you can migrate ACL's to iRules or Network Packet Filters.

However, both are is going to be a lot of rules, very complex and extremely difficult to manage post migration.

If you can get an AFM license will be easier in the long run or look to migrate some or all the ACL's to the F5 connected switches or a network firewall somewhere.

Thank you guys! This is great. I will look further for AFM.

Ohh but with current license I saw I cannot provision AFM. This is not good. However

Thank you again guys I will try to find some solution for this!!

Your help is highly appreciated!

Second Youssef's comment, don't think APM is the way to go, AFM is a firewall module so the perfect place to migrate ACL's to.

The big issue you have other than the different format is that if a policy association as where the policy applied, VLAN or Virtual Server or Global, will effect the way you migrate.

Hello,

Just be carefull with apm. APM Policy manage access management (L7) for web access / AS / VPN ... trough session cookie. I do not think it's a good idea to use it to do L4 filtering...

In fact APM allow us to use ACL but only for object that you create for your APM Policy (ressources: RDP App tunnel, L4 Acl acces for Full VPN, ...)

Regards

Hello Guys,

 

I appreciate your answers very much!

 

I found something for AFM here :

 

https://devcentral.f5.com/s/feed/0D51T00006j31onSAA

 

But for me it seems little bit tough because I have to define every single object(host or network) and every single port. This seems TONS of writing and big changes of mistakes unfortunately.

 

Also just a quick example:

 

apm acl PERMIt-LB { entries { { action allow dst-end-port https dst-start-port https dst-subnet 10.0.168.32/32 protocol 6 src-subnet 0.0.0.0/0 } } }

 

This way through APM seems much easier when I have to edit port/host/subnet etc. Of course again big chance of errors while writing 2000 ACL entries.

 

as said AMG I think that the best option for you is to USE AFM. you will have available a dedicated management console for managing your ACLs. This module is done for that. Additionnal you can set your ACL/rule at multiple level according to your convenience (VLAN, VS, General, ...). i will say that the benefits are simple to operate (creation/ modification / better view of your rules, Specific and dedicated logs ...).

you can also do it by irule or via policy. it will do the job... it will just be careful how you use it. try to group your rules / ACL on several datagroup or irule or policy to facilitate the management and the exploitation of this one. Set up logging (HSL) for the Tracking part. Basically do some thinking before deployment to simplify the operation of your implementation.

Regards,