Forum Discussion

zztop123's avatar
zztop123
Icon for Nimbostratus rankNimbostratus
Jun 08, 2024

Need to allow all to IP's resolved by a FQDN.

Need a solution to allow ALL traffic, to IP's resolved by a FQDN.    We need to be able to reference the FQDN in the F5, and allow all traffic to destination addresses resolved in the FQDN.

Any help would be appreciated.

  • id the traffic to the fqdn goes thorugh f5, it is better to simply create ltm virtual server to handle the traffic.

    • zztop123's avatar
      zztop123
      Icon for Nimbostratus rankNimbostratus

      Can you point me to a KB article with a solution please.

  • based on the tags i assume you are asking this for the AFM module, is that correct?

     

    which TMOS version are you using, older ones seem to have bug here: https://my.f5.com/manage/s/article/K31876474

     

    can you show a AFM firewall rule where you tried this? that will help people from giving better advice or perhaps trying themselves.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        that article is pretty specific for DNS and that is easier to make happen because the DNS request contains the information you need.

        with all traffic (and it going from inside to outside (internet) i think you want?) that is going to become harder because some traffic wont contain the FQDN in the data and you will have to resolve the FQDN first and then match on IP.

        to be honest this isnt where BIG-IP is the most logical choice, if you have a next gen firewall or such in the path from the client to internet i would look to do this there.

        an irule will be tricky because the delay it can add when doing the lookups. also there wont be a ready to work irule available you it will require you to build / understad it.

        i would look at AFM firewall policies if you have that license, since 12.0 they have the option for using FQDN and since 13.1 that should work ok.

        create a forwarding virtual server, test if it works for all traffic to all destination and add the afm security policy to it which references the address list with the FQDN.

        there is no full KB that exactly explains this, you will gather the details yourself, i have added some links below. if you have partial setup do share so people can have a look and advise further. if you have a F5 partner contact them to work on this together.

        https://community.f5.com/discussions/technicalforum/is-it-possible-that-can-set-rules-as-fqdn/59138

        https://community.f5.com/discussions/technicalforum/f5-afm-13-1-1-using-fqdn-in-rules---troubleshooting/268573

        https://my.f5.com/manage/s/article/K10354610#link_04