Forum Discussion
NimbostratusLync iApp 4.0 RC1
Has anyone else worked with the (unsupported) 4.0 template? The version I'm trying does support template questions related to AFM configuration, but the result I'm seeing in the resulting configuration is an AFM policy with two conflicting entries. The top one says "acceptPackets" and has a state of enabled; the second one says "dropPackets" and its state is listed as "Enabled (Conflicting)". Since I want the AFM policy to accept packets, I tried modifying the iApp to comment out the section on dropping packets, but there are syntax errors and I haven't been able to figure how to get around those. Has anyone else run into this, or knows how to successfully remove (or comment out) the "drop" option? Thanks for any information.
John Meggers
5 Replies
Hi John, is your BIG-IP running in "ADC" mode or "Firewall" mode? When running in ADC mode, the default rule for all VIPs is to allow all, so we create a deny all rule, and then another allow rule for only the networks you want to allow that precedes the deny all rule.
I have this configured to allow traffic from only one subnet, and I end up with 3 rules, but none are conflicting. Can you post a screenshot of your policy config?
thanks
John_MeggersI'm consulting with a customer. I can't say for sure whether it's ADC mode or firewall mode. I'll look for that when I'm there today. As for what I'm seeing, I captured a screen shot yesterday which I'll see if I can attach to this.
- John_Meggers
Based on the information in https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-3-0/8.html he LTM is in firewall mode. They've configured the firewall to default to a "deny any any" policy.
So does this mean the iApp effectively requires the firewall be in ADC mode, otherwise you get out of it what I got? I know this is probably asking a lot, but is there a way to have the iApp check this setting and then configure AFM in concurrence with the setting?
Unfortunately, AFAIK in iApps we have no way of telling which firewall mode BIG-IP is running. If we could, the iApp could check for the action on the default rule and not create the dropPackets rule.
Even that would be a problem because that would only check at iApp runtime. If someone went in and changed from firewall to ADC mode outside of the iApp, then we have left you with an insecure config.
That said, you could either edit the iApp, removing this text from the firewall_arr array:
dropPackets \{ \ action drop \ log yes \ ip-protocol tcp \ status enabled \ source \{ addresses replace-all-with \{ any/any \}\} \ \}You could also just create your own firewall policy outside of the iapp and assign it when you answer the "Do you want to use BIG-IP AFM to protect Lync edge and external web services?" question. Or you could leave it as-is, since there shouldn't be any problem with passing traffic through this config that I can think of.
- John_Meggers
I agree, the error "message" could be kind of a red herring, as traffic will match the first statement and be allowed. I may try commenting out the dropPackets section again, thanks to your guidance.
Thanks for the assistance....
