Access Control Based on IP
Problem this snippet solves: This iRule forwards traffic based on "trusted" source addresses. The original application was to add a layer of security to IP forwarding virtual servers. By default, it will drop traffic unless the source IP is a member of the trustedAddresses data group. How to use this snippet: This iRule depends upon a single datagroup (class) of type Address named trustedAddresses. Code : when RULE_INIT { # v1.0 - basic ACL. # October, 2007 # Tested on BigIP version 9.4. # # Purpose: # Bind this rule to a network virtual server to simply allow or disallow traffic based on source IP. # This rule expects a datagroup named trustedAddresses that lists the addresses you wish to allow. # By default, traffic will be dropped. } when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::trustedAddresses] }{ #Uncomment the line below to turn on logging. #log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" forward } else { #Uncomment the line below to turn on logging. #log local0. "Invalid client IP: [IP::client_addr] - discarding" discard } } Tested this on version: 9.4
Import Cisco ACL(2000+ rows) from Cisco ACE to F5
Hello guys, through last few months I have been looking for scenario how to upload/implement/import Cisco ACL to F5. I have been looking here and found like 5,10 Cisco ACLs articles but none of them is working for me. So the problem is this: I am migrating old Cisco ACE contexts to new client's F5 i5000 series vCMPs. I was preparing this for a couple of months since I had Cisco ACE configs provided. Everything with implementation of first context worked fine. I created vlans,trunks,vCMP, provisioning, configure vCMP itself etc. Also I have used Cisco provided scripts which are from 2015. And in fact for LTM they are not 100% effective. However I managed to configure what was left manually. But now I come to the next context/vCMP where I have more than 2000 rows of ACL regarding some printers access. I was looking for solution of this but still without any result. Interesting thing is that I have request from client if I could implement ACL to F5 directly from pre-defined/created list in .csv format. It could be text or xml whatever. Also this list will change in time. Is there any option for this ? Could it be done through tmsh? Some script? Please help.
APM: User session id and client ip sent to syslog server after login vpn.
Hi Friends We need to record user information(vpn session id & client ip) at each access internal netwok resource after the success of login F5-VPN. Our APM is network access mode,Internal network have many tcp and udp application.I want each request these resources will be triggered the F5 to send user information(vpn session id & client ip) to the remote syslog server.How to do? Thanks everyone
Exposing F5 dashboard publicly?
Is it possible to expose F5 dashboard publicly (or at least with really minimal access to F5 Configuration Utility)? I'd like to expose it to machine displaying dashboards on display wall yet I wouldn't like to give it full access to actual F5 Configuration Utility interface. My question is either: How to expose dashboard without requiring authentication / requiring different authentication than F5 Configuration Utility or: Is there any lower permissions level for account in F5 than Guest that allows dashboard access or can this role permissions be even reduced to access only selected statistics required for dashboard operation? Another related topic would be: is it possible to expose dashboard on other vlan than management? For example as conventional Virtual Sever in some other network with destination pointing to F5 management IP?
Videos from F5's recent Agility customer / partner conference in London
A week or so ago, F5 in EMEA held our annual customer / partner conference in London. I meant to do a little write-up sooner but after an incredibly busy conference week I flew to F5's HQ in Seattle and didn't get round to posting there either. So...better late than never? One of the things we wanted to do at Agility was take advantage of the DevCentral team's presence at the event. They pioneered social media as a community tool, kicking off F5's DevCentral community (now c. 100,000 strong) in something like 2004. They are very experienced and knowledgeable about how to use rich media to get a message across. So we thought we'd ask them to do a few videos with F5's customers and partners about what drives them and how F5 fits in. Some of them are below, and all of them can be found here.
The IP Address – Identity Disconnect
The advent of virtualization brought about awareness of the need to decouple applications from IP addresses. The same holds true on the client side – perhaps even more so than in the data center. I could quote The Prisoner, but that would be so cliché, wouldn’t it? Instead, let me ask a question: just which IP address am I? Am I the one associated with the gateway that proxies for my mobile phone web access? Or am I the one that’s currently assigned to my laptop – the one that will change tomorrow because today I am in California and tomorrow I’ll be home? Or am I the one assigned to me when I’m connected via an SSL VPN to corporate headquarters? If you’re tying identity to IP addresses then you’d better be a psychiatrist in addition to your day job because most users have multiple IP address disorder. IP addresses are often utilized as part of an identification process. After all, a web application needs some way to identify a user that’s not supplied by the user. There’s a level of trust inherent in the IP address that doesn’t exist with my name or any other user-supplied piece of data because, well, it’s user supplied. An IP address is assigned or handed-out dynamically by what is an unemotional, uninvolved technical process that does not generally attempt to deceive, dissemble, or trick anyone with the data. An IP address is simply a number. But given the increasingly dynamic nature of data centers, of cloud computing, and of users accessing web-based services via multiple devices – sometimes at the same time – it seems a bad idea to base any part of identification on an IP address that could, after all, change in five minutes. IP addresses are no longer guaranteed in the data center, that’s the premise of much of the work around IF-MAP and dynamic connectivity and Infrastructure 2.0, so why do we assume it would be so on the client side? Ridonculous! The decoupling of IP address from identity seems a foregone conclusion. It’s simply not useful anymore. Add to this the fact that IP address depletion truly is a serious problem – the NRO announced recently that less than 10% of all public IPv4 addresses are still available – and it seems an appropriate time to decouple application and infrastructure from relying on client IP addresses as a form of identification.The Problem with Consumer Cloud Services...
…is that they're consumer #cloud services. While we're all focused heavily on the challenges of managing BYOD in the enterprise, we should not overlook or understate the impact of consumer-grade services within the enterprise. Just as employees bring their own devices to the table, so too do they bring a smattering of consumer-grade "cloud" services to the enterprise. Such services are generally woefully inappropriate for enterprise use. They are focused on serving a single consumer, with authentication and authorization models that support that focus. There are no roles, generally no group membership, and there's certainly no oversight from some mediating authority other than the service provider. This is problematic for enterprises as it eliminates the ability to manage access for large groups of people, to ensure authority to access based on employee role and status, and provides no means of integration with existing ID management systems. Integrating consumer-oriented cloud services into enterprise workflows and systems is a Sisyphean task. Cloud-services replicating what has traditionally been considered enterprise-class services such as CRM and ERP are designed with the need to integrate. Consumer-oriented services are designed with the notion of integration – with other consumer-grade services, not enterprise systems. They lack even the most rudimentary enterprise-class concepts such as RBAC, group-based policy and managed access. SaaS supporting what are traditionally enterprise-class concerns such as CRM and e-mail have begun to enable the integration with the enterprise necessary to overcome what is, according to survey conducted by CloudConnect and Everest Group, the number two inhibitor of cloud adoption amongst respondents. The lack of integration points into consumer-grade services is problematic for both IT – and the service provider. For the enterprise, there is a need to integrate, to control the processes associated with, consumer-grade cloud services. As with many SaaS solutions, the ability to collaborate with data-center hosted services as a means to integrate with existing identity and access control services is paramount to assuaging the concerns that currently exist given the more lax approach to access and identity in consumer-grade services. Integration capabilities – APIs – that enable enterprises to integrate even rudimentary control over access is a must for consumer-grade SaaS looking to find a path into the enterprise. Not only is it a path to monetization (enterprise organizations are a far more consistent source of revenue than are ads or income derived from the sale of personal data) but it also provides the opportunity to overcome the stigma associated with consumer-grade services that have already resulted in "bans" on such offerings within large organizations. There are fundamentally three functions consumer-grade SaaS needs to offer to entice enterprise customers: Control over AAA Enterprises need the ability to control who accesses services and to correlate with authoritative sources of identity and role. That means the ability to coordinate a log-in process that primarily relies upon corporate IT systems to assert access rights and the capability of the cloud-service to accept that assertion as valid. APIs, SAML, and other identity management techniques are invaluable tools in enabling this integration. Alternatively, enterprise-grade management within the tools themselves can provide the level of control required by enterprises to ensure compliance with a variety of security and business-oriented requirements. Monitoring Organizations need visibility into what employees (or machines) may be storing "in the cloud" or what data is being exchanged with what system. This visibility is necessary for a variety of reasons with regulatory compliance most often cited. Mobile Device Management (MDM) and Security Because one of the most alluring aspects of consumer cloud services is nearly ubiquitous access from any device and any location, the ability to integrate #1 and #2 via MDM and mobile-friendly security policies is paramount to enabling (willing) enterprise-adoption of consumer cloud services. While most of the "consumerization" of IT tends to focus on devices, "bring your own services" should also be a very real concern for IT. And if consumer cloud services providers think about it, they'll realize there's a very large market opportunity for them to support the needs of enterprise IT while maintaining their gratis offerings to consumers.
LTM VS inheritance APM VS VPE-Poilcy issue.
Hello~ I have a LTM combo APM device and a special scene. I hope customer after login the VPN(APM-Listener) ,and then accesee the non-APM-listener can inherit APM-listener-VPE-policy, such as VPE assigned ACL. Configuration list is as follows: (1) VS_VPN_PORT_443(APM-listener) ---Access policy VPE associated FULL webtop,local auth and ACL ..... (2) VS_XXX_PORT_ANY (non-APM-listener) ---standard type, pool ..... I test the result is the successful login VPN(APM-listener), then access to non-APM-listener, but not by the VPE-ACL limit. How to configure non-APM-listener to make non-APM-listener to inherit the APM-listener policy? Thanks everyone. D.Luo
