F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

zztop123's avatar
zztop123
Icon for Nimbostratus rankNimbostratus
Jun 08, 2024

Need to allow all to IP's resolved by a FQDN.

Need a solution to allow ALL traffic, to IP's resolved by a FQDN.    We need to be able to reference the FQDN in the F5, and allow all traffic to destination addresses resolved in the FQDN. Any help...
AFM
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 08, 2024

based on the tags i assume you are asking this for the AFM module, is that correct?

 

which TMOS version are you using, older ones seem to have bug here: https://my.f5.com/manage/s/article/K31876474

 

can you show a AFM firewall rule where you tried this? that will help people from giving better advice or perhaps trying themselves.

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Jun 09, 2024

      that article is pretty specific for DNS and that is easier to make happen because the DNS request contains the information you need.

      with all traffic (and it going from inside to outside (internet) i think you want?) that is going to become harder because some traffic wont contain the FQDN in the data and you will have to resolve the FQDN first and then match on IP.

      to be honest this isnt where BIG-IP is the most logical choice, if you have a next gen firewall or such in the path from the client to internet i would look to do this there.

      an irule will be tricky because the delay it can add when doing the lookups. also there wont be a ready to work irule available you it will require you to build / understad it.

      i would look at AFM firewall policies if you have that license, since 12.0 they have the option for using FQDN and since 13.1 that should work ok.

      create a forwarding virtual server, test if it works for all traffic to all destination and add the afm security policy to it which references the address list with the FQDN.

      there is no full KB that exactly explains this, you will gather the details yourself, i have added some links below. if you have partial setup do share so people can have a look and advise further. if you have a F5 partner contact them to work on this together.

      https://community.f5.com/discussions/technicalforum/is-it-possible-that-can-set-rules-as-fqdn/59138

      https://community.f5.com/discussions/technicalforum/f5-afm-13-1-1-using-fqdn-in-rules---troubleshooting/268573

      https://my.f5.com/manage/s/article/K10354610#link_04