AFM Provisioning and Policy Building
The BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard against incoming threats that enter the network on the most widely deployed protocols. This article will show how to provision AFM on your BIG-IP system and then walk through some of the beginning steps to build a firewall policy.
Provisioning the AFM
In order to provision the AFM on your BIG-IP system, navigate to System >> Resource Provisioning and check the Advanced Firewall (AFM) box, then hit the “Submit” button at the bottom of the page. After you hit the Submit button, the BIG-IP will need to restart in order to apply the changes and activate the AFM module. See the screenshot below:
AFM Policy Building
After you provision the AFM, you can build out a firewall policy and then attach it to one or more virtual servers. Please keep in mind that the AFM is a sophisticated module with many different options. This article is not meant to cover all the features, but we will have more AFM articles in the coming months to show how to configure and utilize the various features of the AFM. For this article, let’s build a simple AFM policy and then attach it to a virtual server.
On the BIG-IP, a policy is a feature that provides a way to classify traffic based on a list of matching rules and run specific actions on that traffic based on the associated rules. You might be familiar with Local Traffic Policies on the LTM…the firewall policy on the AFM follows the same basic idea: establish a list of rules and then take action on network traffic based on those rules.
To create a new Network Firewall policy, navigate to Security >> Network Firewall >> Policies, and then click the “Create” button. See screenshot below:
I created a policy and named it “My_AFM_Policy” and at this point in the process, that’s all it is…just an empty policy with a name. Now it’s time to build out the rules of what this policy will contain so that it can start doing some stuff. After you create the policy, you will see the policy listed on the “Policies” page and you can click on it to start adding rules. See the screenshot below:
When you add a new rule to the policy, you have several options to choose from. You first name the rule, and then you select what order to put it in (last, first, before, after), you select the state (enabled, disabled, or scheduled for another time that you determine), you specify the protocol that will be affected by this rule, you specify the source and destination, you select any applicable iRules, you specify the action to take on this rule, etc. As for the action to take, you can select from the following options: Accept, Drop, Reject, or Accept Decisively.
The Accept option allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall were not present at all.
The Drop option drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
The Reject option rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
Finally, the Accept Decisively option allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls.
See the screenshot below for all the cool options. I named my rule “block_all_traffic” because, you know, that’s how I roll…
Of course, you will want to add more rules than the crazy “block everything” rule, but you get the idea on creating rules for your policy. Now that you have a policy with a set of rules in it, you are ready to associate it with one or more virtual servers. When you do this, the traffic destined for that virtual server will have to satisfy the rules of your AFM policy in order to reach the virtual server. Pretty cool stuff.
In order to activate a network firewall policy on a virtual server, navigate to Local Traffic >> Virtual Servers: Virtual Server List and click on the Virtual Server you want to activate this policy for. After you click on the virtual server name, click on the dropdown menu for “Security” and click on Policies. You will see the screenshot below:
Notice the “Network Firewall” menu where you can select a policy from the “Enforcement” or “Staging” option. In order to enable the policy, you simply select the “Enabled” option next to “Enforcement” and then select from the dropdown list of policies. In this example, I chose the “My_AFM_Policy” that I created earlier. Finally, you click the “Update” button and you will notice the various rules on the bottom portion of the screen. These are the rules that are associated with the policy you selected (in our case, it’s just the one “block_all_traffic” rule). See the screenshot below for the details:
Well, that does it for basic AFM provisioning and policy building. Be on the lookout for our upcoming AFM article series where we will dive into the details of how to configure all the cool features of this powerful module!