AFM / Configuring rules within a rule list through REST
Hey guys, Unfortunately I have to configure some AFM rule lists and rules, respectively. My first attempt was to add a new rule list with the whole rule set in one piece with a single POST request. I got this error message { "code": 400, "message": "Rule entries that are being added with the \"add\" option must specify either \"place-before\" or \"place-after\"", "errorStack": [], "apiError": 26214401 } I then tried to add new empty rule lists through REST which worked. After that I wanted to add several rules within that new rule list. That failed again with the error message mentioned above. Even POSTing a single rule in the this rule list fails with the same error message. It seems that the this message has been copied from the tmsh refrence documentation (see here: https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_firewall_rule-list.html) . I am a bit confused now how to add rules to a list. However, I added "ruleNumber" in the JSON body and experimented with different numbers (i.e. 0) but it did not work. Configuring rules within rule lists and refrencing the list within a policy is the way to go here at my company. While writing this post I found out that it is possible to just configure rules within a policy (we rarely use the AFM module). So here are my questions: Do you have any ideas what I am doing wrong when using REST configuring rules within a rule list? The mentioned way to go seems odd to me. Is it enough for simple packet filtering ("look at the source and allow only port 443" for example) to configure rules within a policy? What is your good practice?Solved28Views0likes1CommentAFM Firewall and NAT policies - how to implement
Hi, I need to implement policies for few hundreds src IP, dst IP SNAT and NAT combinations. Something like that, all related to 13.1.0.1: For given dst IP: Allow traffic from given set of IPs For given set of dst ports change dst IP (sometimes as well as port) to given IP For given dst IP there could be dozens of such rules. I am looking for real life advice which way would be better - maybe because of aspects I am not aware off, like easier troubleshooting, easier log checking anything else. Right now I can see two ways to implement: One wildcard IP and port VS One FW policy containing all source/destination definitions One NAT policy containing all destination port/destination IP and port definitions One VS per each destination IP (so FW rules do not need to check destination IP only source IP) One FW policy containing all source/destination definitions related to this dst IP One NAT policy containing all destination port/destination IP and port definitions In first case I will have single policies with hundreds of rules (or rule lists in case of FW policy) - seems harder to figure out what is in fact configured (sure filtering can be used) In second case it is easier to figure out what was set for given destination IP I am a bit lost here what would be better for real life management, maintenance and troubleshooting. What is complicating things even more some configuration has to be repeated for both FW and NAT policy. For example (at least in my test) NAT policy has to have Destination IP configured (same one as in Firewall policy). I can understand the reason for that but it makes space for mistakes, for example different dst IP in FW policy that in matching NAT policy. I hoped it could be resolved by applying NAT policy to VS - so it automatically pick up VIP and will use it as destination, but it seems not be a case. Any advice highly appreciated. Piotr389Views0likes3Comments