Create Forward Proxy Policy

Published April 5, 2023 | Last modified January 31, 2025

Objective

This guide provides instructions on how to create a forward proxy policy using the guided wizard in F5® Distributed Cloud Services. Forward proxy policies are applied when the F5 gateway is used in transit.

Using the instructions provided in this document, you can create forward proxy policies with policy rules controlling the traffic to secure your network.

Prerequisites

Configuration

Create Forward Proxy Policy

Step 1: Open policy configuration form.
  • Open F5® Distributed Cloud Console homepage, select Multi-Cloud Network Connect box.
Figure: Homepage

Figure: Homepage

  • Select Manage > Firewall > Forward Proxy Policies.

  • Select Add Forward Proxy Policy.

Figure: Forward Proxy Policies

Figure: Forward Proxy Policies

Step 2: Create and configure proxy.

  • Enter Name, Labels, and Description as needed.

  • Select Forward Proxy drop-down menu in Proxy box options:

    • All Forward Proxies on Site: All the proxies configured.

    • Network Connector > Select Network Connector in drop-down menu to a specific network connector.

    • Network Connector Label Selector > Selector Expression label in drop-down menu to identify label selection for network connector.

Figure: Create Policy

Figure: Create Policy

Step 3: Configure policy rules.
  • Select Policy Rules in Rules section drop-down options:
Allow all connections

This option allows all traffic.

Allowed connections: Connections to allow; everything else is denied.

  • Configure connection options:

    • TLS Domains: Select Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains. Enter the value in box to match domains. Then click Apply.

    • HTTP URLs: Select Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains. Enter the value in box to match domains. Enter Path drop-down option. Then click Apply.

    • L4 Destination List: Select Add item. Select Add Item to add additional prefixes. Enter Port Ranges. Select Apply.

    • Select Default Action drop-down menu option: Next Policy, Deny, or Allow.

Note: If L4 Destination List and Default Action options do not appear, select Show Advanced Fields toggle located in upper-right corner of Rules section.

Denied connections: Connections to deny; everything else will be allowed.

  • Configure connection options:

    • TLS Domains: Select Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains. Enter the value in box to match domains. Then click Apply.

    • HTTP URLs: Select Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains. Enter the value in box to match domains. Enter Path drop-down option. Then click Apply.

    • L4 Destination List: Select Add item. Select Add Item to add additional prefixes. Enter Port Ranges. Select Apply.

    • Select Default Action drop-down menu option: Next Policy, Deny, or Allow.

Note: If L4 Destination List and Default Action options do not appear, select Show Advanced Fields toggle located in upper-right corner of Rules section.

Custom Rule List: List of custom rules.

  • Select Configure link.

  • Select Add item.

  • Enter Name and Description as needed.

  • Select Action drop-down menu option: Deny or Allow.

  • From the Select Connection Source drop-down menu, select an option:

    • All Sources to apply the rule to all source endpoints.

    • IPv4 Prefix List to specify IPv4 prefixes and enter the prefixes. Click Configure. Enter prefixes for IPv4 or IPv6. Use Add Item to add more than one prefix list. Then click Apply.

    • Source Label Selector to use Add Label. The key-value combination of the label determines the source endpoints.

    • IP Prefix Set to specify a prefix set and select the prefix set from the drop-down list for the IP Prefix Set option. You can also create a new prefix set using the Add Item option in the drop-down list.

  • From the Destination Choice drop-down menu, select an option:

    • All Destinations to apply the rule to all destination endpoints.

    • TLS Domains to specify the HTTPS domains to which the rule applies. Select Add Item. Select an option from the drop-down list of the Enter Domain field, and set an HTTPS domain in the displayed option. Enter Exact Value in box. You can specify the exact domain name or a suffix or specify regular expression to match domains. Select Apply.

    • HTTP URLs to specify the HTTP URLs to which the rule applies. Select Add Item. Select an option from the drop-down list of the Enter Domain field, and set a URL in the displayed option. You can specify the exact URL, or a suffix or specify regular expression to match the URL. Select Enter Path drop-down menu option. Select Apply.

    • IPv4 Prefix List to specify the IPv4 prefix to which the rule applies. Click Configure. Enter prefixes for IPv4 or IPv6. Use Add Item to add more than one prefix list. Then click Apply.

    • IP Prefix Set to select IP Prefix Set drop-down menu options to specify the IP prefix set to which the rule applies. You can use Add Item if needed and configure metadata.

    • BGP ASN List to specify the BGN ASN list to which the rule applies. Select Configure. Enter AS Numbers in box. Use Add Item as needed. Select Apply.

    • Select Apply to apply the custom rule list to the forward proxy policy configuration.

    • Select Apply to return to Custom Rule List page.

Denied Connections Example:

Figure: Policy Rules Configuration

Figure: Policy Rules Configuration

Figure: TLS Domains for Deny Connections

Figure: TLS Domains for Deny Connections

Step 4: Complete forward proxy policy creation.

  • Select Save and Exit.

  • Verify forward proxy policy is displayed in Manage > Firewall > Forward Proxy Policy view.

Step 5: Attach policy to network firewall.

After creating the forward proxy policy, you can attach it to the network firewall.

  • Select Manage > Firewall > Network Firewalls.

  • Select ... > Manage Configuration for your firewall from the displayed list.

  • Select Edit Configuration.

  • Go to Forward Proxy Policy section and select Active Forward Proxy Policies in the Select Forward Proxy Policy Configuration drop-down menu.

  • Select the created forward proxy policy from the list drop-down menu in the Forward Proxy Policy section. You can add multiple policies using Add Item.

Figure: Attach Policy to Network Firewall

Figure: Attach Policy to Network Firewall

  • Select Save and Exit.
Step 6: Verify policy operation.

  • Select Manage > Firewall > Forward Proxy Policies.

  • Check the Hits field for the displayed list of forward proxy policies. This indicates how many times a network policy is applied to the traffic.

  • Select the value of Hits to display the which rules are applied and how many times they are applied. You can obtain policy or rule hits over a specific time interval using the time interval selector option.

Concepts

API References

On this page: