Forum Discussion
based on the tags i assume you are asking this for the AFM module, is that correct?
which TMOS version are you using, older ones seem to have bug here: https://my.f5.com/manage/s/article/K31876474
can you show a AFM firewall rule where you tried this? that will help people from giving better advice or perhaps trying themselves.
- zztop123Jun 09, 2024Nimbostratus
i havent tried it yet actually i am looking for a solution to allow ALL traffic, to IP's resolved by a FQDN. We need to be able to reference the FQDN in the F5, and allow all traffic to destination addresses resolved in the FQDN. i came across this KB:
Filtering DNS requests by FQDN and sending approved requests to a pool of DNS resolvers (f5.com)
But i need to allow all traffic to the IPs resolved by a FQDN
- boneyardJun 09, 2024MVP
that article is pretty specific for DNS and that is easier to make happen because the DNS request contains the information you need.
with all traffic (and it going from inside to outside (internet) i think you want?) that is going to become harder because some traffic wont contain the FQDN in the data and you will have to resolve the FQDN first and then match on IP.
to be honest this isnt where BIG-IP is the most logical choice, if you have a next gen firewall or such in the path from the client to internet i would look to do this there.
an irule will be tricky because the delay it can add when doing the lookups. also there wont be a ready to work irule available you it will require you to build / understad it.
i would look at AFM firewall policies if you have that license, since 12.0 they have the option for using FQDN and since 13.1 that should work ok.
create a forwarding virtual server, test if it works for all traffic to all destination and add the afm security policy to it which references the address list with the FQDN.
there is no full KB that exactly explains this, you will gather the details yourself, i have added some links below. if you have partial setup do share so people can have a look and advise further. if you have a F5 partner contact them to work on this together.
https://community.f5.com/discussions/technicalforum/is-it-possible-that-can-set-rules-as-fqdn/59138
https://community.f5.com/discussions/technicalforum/f5-afm-13-1-1-using-fqdn-in-rules---troubleshooting/268573
https://my.f5.com/manage/s/article/K10354610#link_04