F5 Customer Demo

BIG-IP AFM – Use AFM in Network Firewall

Mode
F5 vLab document version 14.1.A
Written for: TMOS® Architecture v14.1
Virtual images:
BIGIPA_v14.1, LAMP_7
Windows_Server_2008, Windows_7_External (v9)

Estimated Completion Time: 20 minutes

The purpose of this demo is to show how to use BIG-IP AFM in network firewall mode, which means that
requests for all virtual servers and self IP address are blocked. In this demo you will:

1. Show how current access to virtual servers and self IP addresses is allowed through the BIG-IP system
from both external and internal users.
2. Change the BIG-IP AFM mode from ADC mode to network firewall mode, and then show the results.
3. Create specific rules for two virtual servers.
4. Create specific rules for two self IP addresses.
5. Show the firewall statistics on the active rules page and show the built-in AFM reports.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 5/7/2019

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Prepare the BIG-IP Demo Environment

Part 1 – Prepare the BIG-IP Demo Environment

• Required virtual images: BIGIPA_v14.1, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 10 minutes

Prep Task 1 – Download and Open the Windows Server VMware Image
The BIG-IP AFM demos require the Windows Server VMware image. If you haven’t already downloaded and
configured this image, follow these steps. If you’ve already downloaded this image, you can move to task 2.

− Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp.

− Click Virtual Lab Environment (vLab).
− Ensure that 4.0 is selected in the version list, then click vLab_files, and then accept the software terms
and conditions.
− Download and then unzip Windows_Server_2008_v1.zip.

For Windows Users

− In VMware Workstation go to File > Open.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Edit virtual machine settings.
− Select Network Adapter, then in the Network connection section select the Custom option, and then
select VMnet 3. This will provide access to the internal network.

For Mac Users

− In VMware Fusion go to File > Import.
− Navigate to directory that you unzipped the VMware image and open Windows_Server_2008.
− Select the Windows_Server_2008.vmx image file, and then click Open.
− Select Windows_Server_2008 from the VMware library, and then click Settings.
− Click Network Adapter, and then click the vmnet4 option. (NOTE: Ensure you have selected the
option button.)

For All Users

− In the VMware library start up the Windows_Server_2008 image.
− If necessary, go to VM > Send Ctrl+Alt+Del, and then log in as F5DEMO\admin_user / password.
− If necessary, manually update the time to match your local time.
o Click the clock and select Change date and time settings…
o Click Change date and time, then manually adjust the time to the current time, then click OK twice.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 1
 Part 1 – Prepare the BIG-IP Demo Environment

Prep Task 2 – Provision AFM

Provision BIG-IP AFM on the BIG-IP system.

− In the VMware library start up the BIGIPA_v14.1 and Windows_7_External images.

− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following. (NOTE: Use the copy and paste guide in
the My Documents > Demo setup copy and paste guides directory.)
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license

→NOTE: If you do not have the BIGIPA_v14.1 image or the clean_install_bigipA_v14.1.ucs archive file, complete
the F5 vLab Setup (contained within the SE_vLab_Package or Partner_vLab_Package directories).

− Once the clean_install archive file has loaded open Chrome or Firefox and click the BIGIP_A bookmark
and log into the BIG-IP system as admin / admin.F5demo.com
− Open the System > Resource Provisioning page and set the following, and then click Submit.
o Leave Local Traffic (LTM) set to Nominal
o Set Advanced Firewall (AFM) to Nominal

Prep Task 2 – Create Firewall Policies

Create four network firewall policies that will be used during this demo, and then use TMSH commands to
create an event log profile and two web applications to use during the demo.

− Open the Security > Network Firewall > Policies page and click Create.
− Name the policy server41_policy, and then click Repeat.
− Create three additional policies named server42_policy, selfIP_10.1.10.240_policy,
and selfIP_10.1.20.240_policy.
− In putty copy and paste the following lines together:
tmsh modify net self 10.1.10.240 fw-enforced-policy selfIP_10.1.10.240_policy allow-service add { tcp:22 }
tmsh modify net self 10.1.20.240 fw-enforced-policy selfIP_10.1.20.240_policy
tmsh create security log profile logging_profile { network add { logging_profile { filter { log-acl-match-accept enabled log-acl-match-drop
enabled log-acl-match-reject enabled log-ip-errors enabled log-tcp-errors enabled log-tcp-events enabled log-translation-fields enabled }
format { field-list { action date_time dest_ip dest_port drop_reason protocol src_ip src_port } type field-list } publisher local-db-publisher
} } }
tmsh create ltm pool server41_pool members add { 10.1.20.41:0 { address 10.1.20.41 } }
tmsh create ltm pool server42_pool members add { 10.1.20.42:0 { address 10.1.20.42 } }
tmsh create ltm virtual server41_virtual destination 10.1.10.41:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server41_policy pool server41_pool security-log-profiles add {
logging_profile }
tmsh create ltm virtual server42_virtual destination 10.1.10.42:0 ip-protocol tcp profiles add { tcp { } } translate-address enabled translate-
port enabled source-address-translation { type automap } fw-enforced-policy server42_policy pool server42_pool security-log-profiles add {
logging_profile }
tmsh save sys ucs demo_afm_network_firewall_mode_v14.1.ucs
exit

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 2
 Part 2 – Deliver the BIG-IP Customer Demo

Part 2 – Deliver the BIG-IP Customer Demo

• Required virtual images: BIGIPA_v14.1, LAMP_v7, Windows_Server_2008_v1, Windows_7_External (v9)
• Estimated completion time: 20 minutes

BEFORE THE DEMO – Restore an Archive File

Use TMSH to restore the archive file you created in Part 1.

− In the VMware library start up the BIGIPA_v14.1, LAMP_v7, Windows_Server_2008, and

Windows_7_External images.
− Log into the Windows workstation as external_user / P@ssw0rd!
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs demo_afm_network_firewall_mode_v14.1.ucs no-license

→NOTE: If you do not have the demo_afm_network_firewall_mode_v14.1.ucs archive file, complete part 1 of
this document.

− Open Chrome and click the BIGIP_A bookmark and log into the BIG-IP system
as admin / admin.F5demo.com.
− Log into the LAMP workstation as Xubuntu with no password.

Demo Task 1 – Review Current Access Through the BIG-IP System

Examine the how traffic is currently allowed through the BIG-IP system.

− In the Configuration Utility open the Virtual Server List page.

We have two virtual servers listening on all ports: 10.1.10.41 and 10.1.10.42.
− Open a new tab and click the following bookmarks:
o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.42
o Demos > https://10.1.10.42:8443
o Demos > ftp://10.1.10.41
− From the desktop open putty and connect to 10.1.10.41, and then close putty without logging in.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.42, and then close the login dialog
box without logging in.
Currently we can access all available services on all both virtual servers, including HTTP, HTTPS, FTP,
SSH, RDP, and ports 8080 and 8443.
− In the Configuration Utility open the Network > Self IPs page.
We have four self IP addresses: an external floating self IP address and an external self IP address:
10.1.10.240 and 10.1.10.241, as well as an internal floating self IP address and an internal self IP
address: 10.1.20.240 and 10.1.20.241.
WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 3
 Part 2 – Deliver the BIG-IP Customer Demo
− In the FTP tab edit the URL to https://10.1.10.240, and then close the tab without logging in.
− Open putty and connect to 10.1.10.240, and then close putty without logging in.
From the Windows workstation, on the external network, we can use the external self IP addresses to
access and manage the BIG-IP system using both HTTPS and SSH.
− On the LAMP desktop use Firefox to access http://10.1.10.41.
− Edit the URL to https://10.1.20.240.
− Right-click on the desktop and open a Terminal window and at the prompt type the following.
(Type yes when/if prompted.)
ssh root@10.1.10.42

− Type Ctrl+C, and then at the prompt type the following. (Type yes when/if prompted.)
ssh root@10.1.20.240

From the LAMP workstation, on the internal network, we can access the virtual server, and use the
internal self IP address to access and manage the BIG-IP system using both HTTPS and SSH.

Demo Task 2 – Modify the BIG-IP AFM Network Firewall Mode

Modify the AFM firewall mode to act as a “true” network firewall.

− In the Configuration Utility open the Security > Options > Network Firewall page, and then examine
the Default Firewall Action settings.
These are the default settings when you provision BIG-IP AFM. Whenever a request comes in for a
virtual server or a self IP address, BIG-IP AFM will accept the request. When using the default settings,
we don’t typically need to create any network firewall Accept rules, only Reject or Drop rules for
specific locations or ports that we want to block. However, we can also change the AFM mode to act
as a true network firewall.
− From the Virtual Server & Self IP Contexts list select Reject, and then click Update.
− Open a New incognito window (Chrome).

→NOTE: Using an incognito window is important because some of the requests you make will be
cached in the browser from the earlier request.

− In the incognito window click the following bookmarks:

o Demos > http://10.1.10.41
o Demos > https://10.1.10.42
o Demos > ftp://10.1.10.41
− Open putty and connect to 10.1.10.42, and then close putty.
− Go to Start > Remote Desktop Connection and connect to 10.1.10.41, and then close RDP.
− In the blocked page edit the URL to https://10.1.10.240.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 4
 Part 2 – Deliver the BIG-IP Customer Demo
− Open putty and connect to 10.1.10.240, and then close putty.
− On the LAMP desktop reload the https://10.1.20.240 page.
− Edit the URL to http://10.1.10.41 (and reload the page if you are not immediately blocked.)
− In the Terminal window at the prompt repeat the following command.
ssh root@10.1.20.240

We no longer have access to any of our virtual servers or self IP addresses using any services. Once
we switched the BIG-IP AFM to a “true” network firewall, AFM rejects all requests unless it matches a
specifically defined Accept rule. We must now create Accept rules for all these listeners.

Demo Task 3 – Create Specific Rules for Each Virtual Server

Use the Active Rules page to create rules for the virtual servers.

− In the Configuration Utility open the Security > Network Firewall > Active Rules page.
We use this page to view, create, and modify network firewall rules for all BIG-IP contexts, including
the virtual server and self IP address contexts.
− From the Context list select Virtual Server, and then select server11_virtual.

For server41_virtual we need to enable public HTTP access, and SSH access from a single host
(a Lorax administrator).
− Click Add Rule, and then select Add rule to Virtual Server.

− Use the following information for the new rule, and then click Done Editing.
Name accept_http
Protocol TCP
Destination 80 (Press Enter or click Add)
Action Accept

− Click Add Rule and select Add rule to Virtual Server, then use the following information for the new rule,
and then click Done Editing.
Name accept_ssh_for_admin
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept

− Click Commit Changes to System.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 5
 Part 2 – Deliver the BIG-IP Customer Demo
− In the incognito window click the following bookmarks:
o Demos > http://10.1.10.41
o Demos > http://10.1.10.41:8080
o Demos > https://10.1.10.41
o Demos > ftp://10.1.10.41
− Open putty and connect to 10.1.10.41, and then close putty.
− On the LAMP desktop reload the blocked http://10.1.10.41 page.
− Edit the URL to https://10.1.10.11.
− In the Terminal window at the prompt type the following.
ssh root@10.1.10.41

While the LAMP workstation, on the internal network, has HTTP access to server41_virtual, it doesn’t
have HTTPS or SSH access to this virtual server. There is no port 443 rule, and the port 22 rule is only
for source IP 10.1.10.199, which is the Windows workstation on the external network.
− In the Configuration Utility on the Active Rules page, from the Context > Virtual Server list
select server42_virtual.
For server42_virtual we need to enable public HTTPS access, and SSH access for all users on the
internal network.
− Click Add Rule, and then select Add rule to Virtual Server.
− Use the following information for the new rule, and then click Done Editing.
Name accept_https
Protocol TCP
Destination 443 (Press Enter or click Add)
8443 (Press Enter or click Add)
Action Accept

− Click Add Rule and select Add rule to Virtual Server, then use the following information for the new rule,
then click Done Editing, and then click Commit Changes to System.
Name accept_ssh_for_admins
Protocol TCP
Source 10.1.20.0/24 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept

− In the incognito window click the following bookmarks:

o Demos > http://10.1.10.42
o Demos > http://10.1.10.42:8080
o Demos > https://10.1.10.42
o Demos > https://10.1.10.42:8443
− Open putty and connect to 10.1.10.12, and then close putty.
− On the LAMP desktop in the blocked page edit the URL to http://10.1.10.42.
− Edit the URL to https://10.1.10.42.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 6
 Part 2 – Deliver the BIG-IP Customer Demo
− In the Terminal window at the prompt repeat the following command.
ssh root@10.1.10.42

The Windows workstation, on the external network, has HTTPS (and port 8443) access to
server42_virtual only, while the LAMP workstation has both HTTPS and SSH access, as it’s in the
10.1.20.0 network.

Demo Task 4 – Create Specific Rules for Each Self IP Address

Use the Active Rules page to create rules for the self IP addresses.

− In the Configuration Utility on the Active Rules page, from the Context list select Self IP, and then
select 10.1.20.240.
For self IP 10.1.20.240 we need to enable HTTPS access only from the internal network.
− Click Add Rule, and then select Add rule to Self IP.
− Use the following information for the new rule, and then click Done Editing.
Name accept_internal_https
Protocol TCP
Source 10.1.20.0/24 (Press Enter or click Add)
Destination 443 (Press Enter or click Add)
Action Accept

− From the Context > Self IP list select 10.1.10.240.

For self IP 10.1.10.240 we need to enable SSH access only from a single external single host.
− Click Add Rule and select Add rule to Self IP, then use the following information for the new rule, then
click Done Editing, and then click Commit Changes to System.
Name accept_external_ssh
Protocol TCP
Source 10.1.10.199/32 (Press Enter or click Add)
Destination 22 (Press Enter or click Add)
Action Accept

− In the incognito window edit the URL to https://10.1.10.240, and then close the page.
− Open putty and connect to 10.1.10.240, and then close putty.
− On the LAMP desktop in Firefox edit the URL to https://10.1.20.240, and then close the page.
− In the Terminal window at the prompt repeat the following command.
ssh root@10.1.20.240

We’ve now limited BIG-IP system management access, allowing only SSH access to the external IP
address to a single external source, and allowing only HTTPS access to the internal self IP address to
all sources within the internal 10.1.20.0 network.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 7
 Part 2 – Deliver the BIG-IP Customer Demo

Demo Task 5 – View Firewall Statistics and Reporting

View the statistics on the Active Rules page, and then view the built-in AFM reporting.

− In the Configuration Utility on the Active Rules page, from the Context list select Virtual Server, and
then select server41_virtual.
− View the statistics in the Count column.

This displays how many times each rule was matched. The (Default) reject rule statistics display how
many times a request was rejected because the request didn’t match one of the configured rules,
such as when we tried to access the HTTPS version of server41_virtual, or when we used the LAMP
worksation to attempt SSH access.
− From the Context list select Self IP and leave 10.1.20.240 selected, and then view the statistics in
the Count column.
We can view these statistics for all BIG-IP AFM contexts, including virtual servers and self IP
addresses, along with the global context and route domain context.
− In the Configuration Utility open the Security >Reporting > Network > Enforced Rules page, and then
examine the Details section.
The default report shows all the network firewall contexts (virtual servers and self IP addresses, in
addition to global and route domain) that were matched in the last hour. We can see how many times
each virtual server and self IP address processed either an Accept or a Reject rule.

→NOTE: It can take up to five minutes for all the report data to display.

− Change the Chart type to Stacked.

− From the View By list select Rules (Enforced).

We can see how many times each rule was matched. Because this BIG-IP AFM is in network firewall
mode, the (Default) rule matches are requests that were blocked.
− In the Details section, click (Default).
These are all the contexts, including virtual servers and self IP addresses, that BIG-IP AFM blocked
requests because there wasn’t a matching Accept rule.
− From the View By list select Destination Ports (Enforced).
These are all the ports that were requested for all contexts that were blocked by BIG-IP AFM because
there wasn’t a matching Accept rule.

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 8
 Part 2 – Deliver the BIG-IP Customer Demo
− Click Export, and then click Export again.

− Open the downloaded PDF.

At any time, we can export the report data. The export will include the exact current contents
displayed on the reports page.

That concludes this demonstration on using BIG-IP AFM in a “true” network firewall mode, where
access to all virtual servers and self IP address listeners is blocked, and we must create network
firewall Accept rules for all virtual servers and self IP addresses.

AFTER THE DEMO –Reset the VMware Environment

− Click Log out, and then close the Configuration Utility.
− From the desktop open putty, then in the Saved Sessions section double-click BIGIP_A, and then log in
as root / default.F5demo.com
− At the CLI prompt copy and paste the following:
tmsh load sys ucs clean_install_bigipA_v14.1.ucs no-license
reboot

WWFE Lab Guides –BIG-IP AFM 03 Demo – Use AFM in Network Firewall Mode; v14.1.A Page | 9