Forum Discussion

Mandragor's avatar
Mandragor
Icon for Altostratus rankAltostratus
Jun 28, 2017

Change default firewall policy for new Virtual Servers

I have read

 

https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-6-0/1.html

 

concerning default behaviour, but it seems limited to setting the default to accept or default block/drop traffic only? With no other rules before the default one in this policy.

 

Is it possible to configure a default policy that is assigned to all new Virtual Servers upon creation, typically allowing traffic from monitoring-software or backup-solutions that you would like all Virtual Servers to allow anyway?

 

AFM
security

3 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jun 28, 2017

    The default behaviour you are talking about, is what we call ADC mode or Firewall mode.

     

    In ADC mode the virtual server will allow traffic from the sources you define in the virtual server, and the vlan you specify there. If you don't restrict the source or vlan, basically everyone can access. If want to block something, you need a firewall rule for that.

     

    In Firewall mode, you need to create firewall rules to allow that. Everything is blocked until you create rules to allow.

     

    During the creating of the virtual server you can't specify the AFM policy, but you can apply that after the virtual server creation.

     

  • Vinaykk_339682's avatar
    Vinaykk_339682
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2018

    So If I want to use Global policies, How can I over come the issue with default policy because in F5: every virtual server has a default policy to drop everything.

     

    • Leonardo_Souza's avatar
      Leonardo_Souza
      Icon for Cirrocumulus rankCirrocumulus
      Apr 27, 2018

      That is not correct.

       

      The system has a default deny design. To pass traffic via the system, you need a listener, that is normally a virtual server. The listener will only handle traffic that matches its configuration. That can be a combination of source/destination/vlan, etc...

       

      If you setup a virtual server with source 0.0.0.0/0, destination 10.10.10.0/24, all protocols and vlans. It will handle traffic with a destination in the network 10.10.10.0/24, and anything else will just be dropped by the system (not the virtual server).

       

      You can setup a forward virtual server with source 0.0.0.0/0 and destination 0.0.0.0/0, all protocols and vlans. That will basically pass any traffic, and you can then filter in the AFM what you want.