NimbostratusNeed a solution to allow ALL traffic, to IP's resolved by a FQDN. We need to be able to reference the FQDN in the F5, and allow all traffic to destination addresses resolved in the FQDN.
Any help would be appreciated.
Nacreousid the traffic to the fqdn goes thorugh f5, it is better to simply create ltm virtual server to handle the traffic.
NimbostratusCan you point me to a KB article with a solution please.
MVPbased on the tags i assume you are asking this for the AFM module, is that correct?
which TMOS version are you using, older ones seem to have bug here: https://my.f5.com/manage/s/article/K31876474
can you show a AFM firewall rule where you tried this? that will help people from giving better advice or perhaps trying themselves.
Nimbostratusi havent tried it yet actually i am looking for a solution to allow ALL traffic, to IP's resolved by a FQDN. We need to be able to reference the FQDN in the F5, and allow all traffic to destination addresses resolved in the FQDN. i came across this KB:
Filtering DNS requests by FQDN and sending approved requests to a pool of DNS resolvers (f5.com)
But i need to allow all traffic to the IPs resolved by a FQDN
MVPthat article is pretty specific for DNS and that is easier to make happen because the DNS request contains the information you need.
with all traffic (and it going from inside to outside (internet) i think you want?) that is going to become harder because some traffic wont contain the FQDN in the data and you will have to resolve the FQDN first and then match on IP.
to be honest this isnt where BIG-IP is the most logical choice, if you have a next gen firewall or such in the path from the client to internet i would look to do this there.
an irule will be tricky because the delay it can add when doing the lookups. also there wont be a ready to work irule available you it will require you to build / understad it.
i would look at AFM firewall policies if you have that license, since 12.0 they have the option for using FQDN and since 13.1 that should work ok.
create a forwarding virtual server, test if it works for all traffic to all destination and add the afm security policy to it which references the address list with the FQDN.
there is no full KB that exactly explains this, you will gather the details yourself, i have added some links below. if you have partial setup do share so people can have a look and advise further. if you have a F5 partner contact them to work on this together.
https://community.f5.com/discussions/technicalforum/is-it-possible-that-can-set-rules-as-fqdn/59138
https://community.f5.com/discussions/technicalforum/f5-afm-13-1-1-using-fqdn-in-rules---troubleshooting/268573
https://my.f5.com/manage/s/article/K10354610#link_04