E XERCISE 5.2 – C REATING AFM R ULES
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Create Context Aware Rules for a Virtual Server
Create rules to allow port 80 access to a virtual server while blocking access from a specific subnet.
In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_5.1_afm_logging_v11.5.1 (you should have a virtual server named wildcard_virtual).
Open the Virtual Server List page and click wildcard_virtual.
Open the Security > Policies page, and then in the rules section click Add.
Create a rule using the following information, and then click Finished.
Type Rule
Name allow_http
Protocol TCP
Destination: Port Specify: Port: 80 (Click Add)
Action Accept
Logging Enabled
Create another rule using the following information, and then click Finished.
Type Rule
Name reject_10.128.20.0
Protocol Any
Source: Address/Region Specify: Address: 10.128.20.0/24 (Click Add)
Action Reject
Exercise 5.2 – Creating AFM Rules
Questions:
Are there any other rules applied to this virtual server? ____________________
If so, what are they? ______________________________________________
Create another rule using the following information, and then click Finished.
Type Rule
Name reject_all Action Reject Logging Enabled
TASK 2 – Create and View Log Entries
Generate traffic through the BIG-IP system using wildcard_virtual and examine the log messages.
Use a new tab to access http://10.128.10.25.
Change the URL to http://10.128.10.25:8081.
Change the URL to https://10.128.10.25.
Use an SSH client to access 10.128.10.25.
Open a command prompt window, and at the command prompt, type:
telnet 10.128.10.25
Use either Chrome or Firefox to access ftp://10.128.10.25.
Close the Web browsers, the SSH session, and the command prompt window.
In the VMware library, access and log in to the LAMP_3.4 virtual image.
On the LAMP_3.4 desktop, use Firefox to access http://10.128.10.25.
→NOTE: This computer image is in the 10.128.20.0 network.
In the Configuration Utility, open the Security > Event Logs > Network > Firewall page.
Exercise 5.2 – Creating AFM Rules
Did the Telnet request pass through the BIG-IP system? _________________
Did the HTTP request from 10.128.20.252 pass through the BIG-IP system? ______________
Open the Security > Network Firewall > Active Rules page.
Question:
Why wasn’t the HTTP request from 10.128.20.252 rejected? __________________________
Click the Reorder button.
Use your mouse to move the reject_10.128.20.0 rule above the allow_http rule, and then click Update.
In the VMware library, on the LAMP_3.4 image, right-click inside the Firefox window and select Reload.
Question:
Were you able to access the Web page? __________________
Close the Firefox window.
In the Configuration Utility open the Security > Event Logs > Network > Firewall page.
Access for 10.128.20.252 was rejected using the reject_10.128.20.0 rule.
TASK 3 – Create a Rule List for Multiple Services
Create a rule list for several application services.
Open the Security > Network Firewall > Rule Lists page, and then click Create.
Name the rule list common_services, and then click Finished.
Click common_services, and then in the rules section click Add.
Create a rule using the following information, and then click Repeat.
Name allow_ftp
Protocol TCP
Destination: Port Specify: Port Range: 20 to 21 (Click Add)
Action Accept
Logging Enabled
Exercise 5.2 – Creating AFM Rules
Create another rule using the following information, and then click Repeat.
Name allow_https
Protocol TCP
Destination: Port Specify: Port: 443
(Delete the port range of 20-21)
Action Accept
Logging Enabled
Create another rule using the following information, and then click Finished.
Name allow_telnet
Protocol TCP
Destination: Port Specify: Port: 23 (Delete the 443 port)
Action Accept
Logging Enabled
TASK 4 – Add the Rule List to a Virtual Server
Use the Active Rules page to add the new firewall rule list to the security settings for wildcard_virtual.
Open the Security > Network Firewall > Active Rules page.
The displayed active rule is for wildcard_virtual.
In the rules section, click Add.
Create a rule using the following information, and then click Finished.
Context Virtual Server: wildcard_virtual
Type Rule List
Name allow_common_services Rule List common_services
At this point, all FTP, HTTPS, and Telnet requests will be rejected before BIG-IP AFM reaches the rule list due to the reject_all rule.
Exercise 5.2 – Creating AFM Rules
TASK 5 – Test Access to the Virtual Server
Use a new tab to access https://10.128.10.25.
Change the URL to http://10.128.10.25:8081.
Use either Chrome or Firefox to access ftp://10.128.10.25.
When you get the authentication dialog box, click Cancel.
Use an SSH client to access 10.128.10.25.
Open a command prompt window, and at the command prompt, type:
telnet 10.128.10.25
Close all Web pages, SSH sessions, and command prompts.
In the Configuration Utility open the Security > Event Logs > Network > Firewall page.
Requests for port 8081 and port 22 are still rejected by BIG-IP AFM.
TASK 6 – Customizing the Network Firewall Event Log
Experiment with creating custom filters on the network firewall event log page.
Click Custom Search.
Select a Reject entry from the Action column (just the actual word “Reject”) and drag it to the custom search area, and then click Search.
This filters the display all rejected entries.
Click Reset Search to redisplay the entire log list.
In the search box, type allow_http, and then click Search.
This displays all entries that matched the allow_http rule, but also the /Common/common_services:allow_https rule.
Click Custom Search.
Drag an entire row for a log entry that matched the allow_http rule to the custom search area.
On the right-side of the screen, click the X button to remove all fields except for Rule and Destination Port.
Exercise 5.2 – Creating AFM Rules
Click Search.
This now displays all entries that matched the allow_http rule for port 80.
TASK 7 – Create Global Rules
Create a schedule that enables SSH access for specific times and days, and also blocks all ICMP requests.
Open a command prompt window, and at the command prompt, type:
ping 10.128.10.241
Question:
Were you able to ping the external self IP address? ______________
In the Configuration Utility, open the Security > Network Firewall > Active Rules page, and then click Add.
Create a rule using the following information, and then click Finished.
Context Global
In the command prompt window type:
ping 10.128.10.241
Questions:
Were you able to ping the external self IP address? __________________
Did you receive a “destination net unreachable” message? ___________________
In the Configuration Utility, on the Active Rules page, click deny_icmp.
From the Action list box, select Drop, and then click Update.
In the command prompt window type:
ping 10.128.10.241
Exercise 5.2 – Creating AFM Rules
In the Configuration Utility, open the Security > Network Firewall > Schedules page, and then click Create.
Create a schedule using the following information, and then click Finished.
Name ssh_schedule
Date Range Until… (use the last day of this month) Time Range Between 08:00 to 17:00
Days Valid Monday through Friday
Open the Security > Network Firewall > Active Rules page, and then click Add.
Create a rule using the following information, and then click Finished.
Context Global
Type Rule
Name allow_scheduled_ssh
State Scheduled…
Schedule ssh_schedule
Protocol TCP
Destination Port Specify: Port: 22 (Click Add) Action Accept Decisively
Logging Enabled
Use an SSH client to access 10.128.10.25.
→NOTE: It’s not necessary to log into the CLI to complete this task.
In the Configuration Utility, on the Active Rules page, click ssh_schedule.
Clear the checkbox for the current day of the week, and then click Update.
Use an SSH client to access 10.128.10.25.
You no longer have global SSH access.
Close SSH sessions.
Exercise 5.2 – Creating AFM Rules
TASK 8 – View Firewall Reports
View several of the built-in network firewall reports and graphs on the BIG-IP system.
Open the Security >Reporting > Network > Enforced Rules page.
The default report shows all of the rule contexts that were matched in the past hour.
In the Details section, click /Common/wildcard_virtual, and then click <Unassigned>.
This displays the rules and rule lists that were matched for this virtual server.
Click reject_all.
From the View By list box, select Destination Ports (Enforced).
This displays all of the ports that matched this reject rule.
Navigate back to Rule Context (Enforced).
From the View By list box, select Source IP Addresses (Enforced).
In the Details section, click 10.128.20.252, then click /Common/wildcard_virtual, and then click
<Unassigned>.
This displays how many times this IP address matched each rule.
Create an archive file named bc_5.2_afm_rules_v11.5.1.