Forum Discussion
NimbostratusBlocking ip addresses with 11.3
We have multiple IP addresses in routing vlans in our environment, so our systems in that invironment are using the 11.3 F5 as a router.
Is there a way to use F5 to block IP traffic between these vlans or even between IP addresses.
Does the Advanced Firewall Manager (AFM) for 11.3 provide any of this functionality? I'm evaluating it in our lab environment and do not see a way to do this.
4 Replies
What_Lies_Bene1Cirrostratus
I'd imagine AFM would do exactly what you wish so it's odd you don't think so.
Regardless, an iRule or Packet Filter are options.
The F5 is a deny by default device so do you have a routing VS, SNAT or similar setup that allows this traffic?- Kevin_Stewart
Employee
AFM is a full stateful firewall that can apply L4 firewall rules to all addresses on the BIG-IP or you can specify BIG-IP configuration objects, like route domains, virtual servers, self-IPs, and Management IPs. 
Lazar_92526We do have a routing VS setup to watch traffic. It seems like it would be messy though to setup IP restrictions utilizing a routing VS.
As an example, if we have a server with an ip of 172.24.24.10 and we want to block traffic to a server with an IP address of 172.24.54.10, how would we do this with AFM if neither of those IP addresses have a defined VIP?
- Kevin_StewartYou could assign that rule globally.
