VPN BIG-IP Edge client : firewall rules applied by BIG-IP Edge Client
We have established a VPN connection between a Windows client and a BIG-IP v15. We are using BIG_IP Edge client, with network access. According to table 3.5 in this document : https://support.f5.com/csp/article/K49720803#link_05_04 when "always connected" mode is enabled, BIG-IP edge client applies firewall rules. Is there any other feature that allow BIG-IP edge client to apply firewall rules ? What kind of rules are applied ?
userid to ip mapping - F5 APM
I have been wrestling with how I can share user to ip mappings for VPN connections with internal security devices(namely palo alto firewalls). I found a few great suggestions on here regarding leveraging an irule to accomplish this, and while they appeared to work, adding DTLS broke most of the examples provided. reference: https://devcentral.f5.com/questions/userid-to-leasepool-ip-mapping So I spent some time attempting to figure out how I could accomplish this with DTLS enabled and this is what I came up with: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool] } when HTTP_REQUEST { if { [HTTP::uri] starts_with "/vdesk/timeoutagent-i.php" } { set vpnip [ACCESS::session data get "session.assigned.clientip"] log local0. "timeout beacon received" if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"] If pa-vpn table entry for ip does not equal the current user we need to update the firewall if { [table lookup -notouch "pa-vpn:$vpnip"] != $user } { HSL::send $hsl "<190>F5_PA_UID_Event uid:$user vpnip:$vpnip\n" log local0. "periodic: F5_PA_UID_Event uid:$user vpnip:$vpnip" table set "pa-vpn:$vpnip" "$user" "indef" 600 } } } } when ACCESS_SESSION_CLOSED { set hsl [HSL::open -proto UDP -pool hsl_pa-uid_pool] set vpnip [ACCESS::session data get "session.assigned.clientip"] if { $vpnip != "" }{ set user [ACCESS::session data get "session.logon.last.username"] HSL::send $hsl "<190>F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip\n" log local0. "periodic: F5_PA_LOGOUT_Event uid:$user vpnip:$vpnip" } } My only concern with this implementation is performance impact. The /vdesk/timeoutagent-i.php happens every 10 seconds or so, which means the set vpnip [ACCESS::session data get "session.assigned.clientip"] and [table lookup -notouch "pa-vpn:$vpnip"] will also occur. Is my concern warranted? Is there possibly a better implementation out there? Any possible alleys that I might have missed?
Restricting traffic between Vlans.
We have an F5 servicing our DMZ. It hosts the external IPs and acts a router for the DMZ servers. +--- [ VLAN_2110 ] [ Internet ] ---- [ F/W ] ---- [ F5 ] --+ +--- [ VLAN_2310 ] Recently a new requirement has emerged to keep one group of Vlans from talking to another group. A for instance would be that VLAN_2110 and VLAN_2310 in the above sketch would not be allowed to talk to each other. Can the F5 do this?
Can someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.
Forward UDP traffic to different Pool using iRule
Hello, I made an iRule to forward traffic to other F5 Pool if source is Different , seems it does not work. If source is other than Defined in iRule expectation is traffic should be processed by default pool. But when I see from F5 , it always hitting to the default pool even traffic is sourcing from defined sources from iRule. What could be the issue from iRule ? when CLIENT_ACCEPTED { #Firewall set FW1 "10.7.10.10" #Firewall set FW2 "10.7.11.10" #Firewall set FW3 "10.7.12.10" #Firewall set FW4 "10.7.13.10" switch [IP::client_addr] { $FW1 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW2 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW3 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } $FW4 { if { [LB::status pool ASA_Pool member 10.8.11.23 1514] eq "up" or [LB::status pool ASA_Pool member 10.8.11.24 1514] eq "up" } { pool ASA_Pool } else { pool Default_Pool } } default { pool Default_Pool } } }Create a temporary rule (AFM) based on the request
Hi, I am mimicking the behavior of the FTP auth of checkpoint. I have created the FTP server and now the client has authenticate using the iRule. Now, I would like to create a temporary AFM rule to allow that IP to some other services. Is that possible? Is there any command to do such thing? Regards, Arturo.
If F5 LTM/AFM is tier-1 DDoS Protection, what about upstream non-F5 Firewalls?
I understand F5 can do network-related DDoS protection at Layer 3 and 4. What I am curious is what about the edge router or firewall upstream? Example: Internet->Edge Router->Firewall(Inter-VLAN Routing)->Layer2 Switch->F5 If F5 is capable of anti-DDoS, firewall needs anti-DDoS too? If Firewall is doing anti-DDoS, then do we still need F5 for network-related DDoS protection? For Edge Router, I believe ISP clean pipe or Silverline can help to mitigate.ASM Blocking ajax upload
Hi, I am using ajax upload to upload files to the server. File Upload was working fine in the ASM learning mode. But When I switch to protection mode my Uploads are blocked and I am not able to upload any files. I have more than 200 ajax uploads in my website and none of them is working. Please help. Thanks Sreeni