Packet Tracing in BIG-IP AFM
New in the v13 release of the BIG-IP Advanced Firewall Manager is the capability to insert a packet trace into the internal flow so you can analyze what component within the system is allowing or blocking packets based on your configuration of features and rule sets. If you recall from our Lightboard Lesson on the BIG-IP Life of a Packet, the packet flow diagram looks like this: The packet tracing is inserted at L3 immediately prior to the Global IP intelligence. Because it is after the L2 section, this means that a) we cannot capture in tcpdump so we can’t see them in flight and b) no physical layer details will matter as it relates to testing. That said, it’s incredibly useful for what is and is not allowing your packets through. You can insert tcp, udp, sctp, and icmp packets, with a limited set of (appropriate to each protocol) attributes for each. To get to the packet trace utility in the GUI, navigate to Network->Network Security->Packet Tester as show below. Note: In v13.1 this feature has been moved to Security -> Debug -> Packet Tester. This will launch the packet testing tool as shown here: Note with this tcp selection, in addition to setting the flags, you can configure the source and destination ip/port, source vlan, and trace options as it relates to policy and logging. An example packet trace shows the output of the trace after it completes: You’ll notice here that IP Intelligence and DoS have no beef with the packet, but there is no virtual match so the default action at the end of the path is to reject. Note that you can also use the packet trace utility in tmsh. The command is tmsh show net packet-tester security and results in an output like below. tmsh show net packet-tester security protocol tcp syn src-addr 192.168.101.2 src-port 21233 dst-addr 192.168.101.55 dst-port 8080 src-vlan external ************************* Packet Tester Data: ************************* Packet SrcIP/Port:192.168.101.2/21233 Src Vlan external Packet DstIP/Port:192.168.101.55/8080 Packet Protocol: tcp Packet Trace Option: Check Staged:Disable, Trigger Log:Disable Stage:Device-IP Intelligence Result: Default Stage:Device-DoS Result: Default Stage:Device-Access Control Result: Drop Stage:Route Domain-IP Intelligence (unset) Result: Default Stage:Route Domain-Access Control (unset) Result: Drop Stage:Listener-IP Intelligence (No Listener) Result: Default Stage:Listener-DoS (No Listener) Result: Default Stage:Listener-Access Control (No Listener) Result: Drop Stage:Device Default Result: Drop Final Result Packet SrcIP/Port:192.168.101.2/21233 Src Vlan external Packet DstIP/Port:192.168.101.55/8080 Packet Protocol: tcp Packet Trace Option: Check Staged:Disable, Trigger Log:Disable Stage:Device-Access Control Policy Name: unset Rule Name: unset Stage:Route Domain-Access Control Route Domain name: unset Policy Name: unset Rule Name: unset Stage:Listener-Access Control Listener name: unset Policy Name: unset Rule Name: unset Default Rule : No Device Default Rule Final Action : Drop Total records returned: 1 And because of tmsh, you can easily script packet generation with bash or even a tmsh script if you’re feeling the Tcl love. Current Limitations Only one packet can be inserted at a time, so even a scripted experience via tmsh will result in very low packets per second, which isn’t likely to really impact DoS for valid tests. Only valid headers are allowed, so a large part of typical red team attack vectors are not covered. No tcpdump visibility. No hardware paths. Basic visibility tools like the packet tester are great additions to the BIG-IP AFM. Whether it’s for testing new rules, validating existing ones, or simply throwing a bone over the fence to your operational security team to know where in your configuration an isolated action is being trapped, the v13 AFM packet tester has you covered!AFM Enhancements in BIG-IP v13
As you've noticed, DevCentral is covering some new features of F5 BIG-IP version 13 this month. Today we'll review some core updates to Advanced Firewall Manager (AFM). Next week we'll dive deeper into AFM DoS service improvements. In BIG-IP v13, AFM looks to improve performance, expand configuration flexibility, and make your administrative life a bit easier; something we all need. Per-Policy Compilation: YES! Prior to v13, policy compiling could be a lengthy process. Compiling monolithic polices with large rule lists/rules resulted in high memory use and long waits (depending on the depth of the policy). BIG-IP v13 introduces a per-policy compilation variable designed to alleviate these symptoms. (tmos)# show security firewall container-stat field-fmt security firewall security { activation-time-fmt Mar 17 2017 09:44:46-0700 compile-duration-fmt 0:0:0 container-size 14.3K context-name vs_kielbasa context-type virtual ovrlpck-duration-fmt 0:0:0 per-policy-compilation Yes policy-name afm_policy_a policy-type Staged process-mem 54.3M rule-count 5 slot-id 0 } This enables the Packet Correlation Classification Daemon (pccd) to detect changes, and recompile only changed policies. Unchanged policies will have results copied from the compiled policy objects. The above TMSH command displays the enabled variable but it can be turned off for various reasons if needed (talk to F5 support prior to screwing around with db variables). Pccd received several other updates, honorable mentions below: Increased memory usage statistic accuracy - useful for diagnostics Compiler Speed Improvements Improvements to HA handling - Active/Standby delays are reduced and stability improvements Rule overlap check improvements now includes unused policies Send To Virtual Server Enhancements Prior to v13, users were limited to source/destination address and port when selecting virtual servers in rules. Now any attribute used to match firewall rules can be used to select the virtual server. In the above image we are selecting GeoIP-based traffic and sending them to HADES, our honeypot virtual server. We can add additional conditions including: VS & Policy based on Geolocation VS & Policy for non-contiguous port ranges VS & Policy combinations of full 5-tuple (and VLAN/Geo/FQDN) We can expand our use cases with these enhanced conditions and create value add for other BIG-IP modules like AAM/LTM so only specific data classes proceed on to downstream services; think Geolocation/User based DNS/WAF/TCP options policies. These improvements should allow you to reduce firewall complexities and maybe even remove some of the patchworks implemented to get around the previous versions limitations. As with new features, there are some caveats to be aware of (highlights): Send to Virtual rules are applicable in global and route domain contexts No recursive redirects (no re-redirects) You cannot swap protocols with Send to Virtual Traffic and the virtual server addressing must be in the same family (IPv4/IPv6) Traffic and the virtual server must be in the same route domain To review statistics for traffic handled by a Send to Virtual rule use: tmctl fw_sendtovirtual_stats BIG-IP's AFM's increased flexibility and performance is making firewall administration nearly enjoyable at this point. Not that I'd rather build rule sets over going Skiing, but it's a heck of a lot easier. As we investigate more AFM improvements next week, you'll start to see how big BIG-IP v13 really is. If you haven't downloaded an evaluation copy yet, what are you waiting for? Let us know if you want us to dive deeper on these and other changes. Thanks for reading!
