AFM Policy Building

On the BIG-IP, a policy is a feature that provides a way to classify traffic based on a list of matching rules and run specific actions on that traffic based on the associated rules.  You might be familiar with Local Traffic Policies on the LTM…the firewall policy on the Advanced Firewall Manager (AFM) follows the same basic idea:  establish a list of rules and then take action on network traffic based on those rules.

To create a new Firewall policy, navigate to Security >> Network Firewall >> Policies, and then click the “Create” button.  See screenshot below:

 

 

I created a policy and named it “My_AFM_Policy” and at this point in the process, that’s all it is…just an empty policy with a name.  Now it’s time to build out the rules of what this policy will contain so that it can start doing some stuff.  After you create the policy, you will see the policy listed on the “Policies” page and you can click on it to start adding rules.  See the screenshot below:

 

When you add a new rule to the policy, you have several options to choose from.  You first name the rule, and then you select what order to put it in (last, first, before, after), you select the state (enabled, disabled, or scheduled for another time that you determine), you specify the protocol that will be affected by this rule, you specify the source and destination, you select any applicable iRules, you specify the action to take on this rule, etc.  As for the action to take, you can select from the following options:  Accept, Drop, Reject, or Accept Decisively.

The Accept option allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall were not present at all.

The Drop option drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

The Reject option rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.

Finally, the Accept Decisively option allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls.

See the screenshot below for all the cool options.  I named my rule “block_all_traffic” because, you know, that’s how I roll…

 

 

Of course, you will want to add more rules than the crazy “block everything” rule, but you get the idea on creating rules for your policy.  Also, you can order each of the rules in whatever order you want.  The BIG-IP will process through each of the rules in order starting with the first rule, so be sure to arrange the rules in the way that makes the most sense for your network. 

Now that you have a policy with a set of rules in it, you are ready to associate it with one or more virtual servers.  When you do this, the traffic destined for that virtual server will have to satisfy the rules of your AFM policy in order to reach the virtual server.  Pretty cool stuff.

In order to activate a network firewall policy on a virtual server, navigate to Local Traffic >> Virtual Servers: Virtual Server List and click on the Virtual Server you want to activate this policy for.  After you click on the virtual server name, click on the dropdown menu for “Security” and click on Policies.  You will see the screenshot below:

 

 

Notice the “Network Firewall” menu where you can select a policy from the “Enforcement” or “Staging” option.  In order to enable the policy, you simply select the “Enabled” option next to “Enforcement” and then select from the dropdown list of policies.  In this example, I chose the “My_AFM_Policy” that I created earlier.  Finally, you click the “Update” button and you will notice the various rules on the bottom portion of the screen.  These are the rules that are associated with the policy you selected (in our case, it’s just the one “block_all_traffic” rule).  See the screenshot below for the details:

 

One final thing I want to discuss is the IP Intelligence feature.  IP Intelligence allows the BIG-IP to interact with various “feed lists” and then make decisions on whether an IP address should be allowed or blocked.  These “feed lists” are files that are imported directly from URLs that you specify, and the IP Intelligence policy allows you to take action on the IP addresses found in those feed lists.  The IP Intelligence policy is a separate policy from the Network Firewall policy, and it can be enabled or disabled on each virtual server on the BIG-IP.  See the screenshot below for more details:

 

With all these options for firewall policies, it’s easy to see how powerful and robust the AFM can be in protecting your critical network assets.  Stay tuned for more AFM articles on DevCentral.  We will be discussing DDoS capabilities, Blacklisting, more IP Intelligence, cool iRules extensions for the AFM, and more!

 

Published Mar 23, 2016
Version 1.0
  • Hi, Do you plan to cover Feed List functionality in more details? I was trying to setup IP Intelligence policy using Feed List but failed to make it work - IPs provided via Feed List seems to be ignored both by policy and iprep_lookup. Piotr
  • Is there a way to apply an AFM policy dynamically via an irule based on source country? I used to have an irule that did this using data-group list now we use AFM on the any/any forwarder but we've found that blocking our dns listener is causing email failures for some email hosts (gmail) with overseas MTAs. I haven't found a way to do this other than go back to an irule for that one listener. Thanks.

     

  • Hi ipman_1988. I've been looking at some options for helping with a solution to your issue here. I wanted to get a little more info on what you are trying to do. Are you looking to block all traffic from a certain country? Or something else? Thanks!

     

  • Staged is essentially in "learning" mode...it doesn't block anything. Enforced is blocking.