Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Help with removing network ACLs from F5 which were made with iApps (f5.data_center_firewall Template...)

F5-FW-Struggler
Nimbostratus
Nimbostratus

First time user...

 

I am a cisco firewall engineer, who has been tasked with migrating ACLs off an F5 viprion solution. My customer is using the F5 for network firewalling and routing till now. Currently their environment is being redesigned to have a dedicated cisco firewall installed. The firewall rule sets need to be taken off the F5, and placed on the ASA... Also, some of the VLANs need to be removed altogether from the F5. Looking at the configuration (both GUI and CLI), F5 output looks really intricate in terms of how an acl is built, how it applies to forwarding IP VIPs (and other virtual servers)... They have been using some datacenter firewall template (f5.data_center_firewall) in iApps. I also see some Data Center Firewall Rule Builder...

 

In short, my question is - has anyone actually done this, and if so, is there a kb guide of how to decipher network acls on an F5, and better yet, is there a tool which does something like this (probably not, but figured i'd ask anyways!)..

 

I can provide some configuration output if needed...

 

2 REPLIES 2

James_Thomson
F5 Employee
F5 Employee

I've not heard of any tool that would automatically do this. The Packet Filter feature of F5 is similar to very basic ACL's. Virtual Servers are listeners, so you need to have a listener ( for example, on 0.0.0.0 which would listen for everything), then packet filters locks them down. More info here. http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-13-1.html

 

They should have just turned on F5's AFM module which is a firewall and they wouldn't have needed a separate Firewall and it would incur much less latency. 🙂

 

F5-FW-Struggler
Nimbostratus
Nimbostratus

thanks james! Appreciate the response - i'd actually say F5 generally plays "ok" as a network firewall, its too many features in one box for my liking; however, I am still left trying to figure out how i am supposed to pull the acl entries out in a clean way from the F5... if they have been generated by this DCFW iApp temaplate... 🙂

 

Any other thoughts ideas?