Network Firewall
Objective
This guide provides instructions on how to create a Network Firewall using the guided wizards in F5® Distributed Cloud Services. For more information on sites, see Site.
A Network Firewall consists of three elements:
-
A Forward Proxy Policy: L7 Policies applied when the F5 gateway is used in transit.
-
A Network Policy: L3-4 Policies applied to traffic ingress, egress, or originated on the F5 Gateway.
-
Fast access control list (ACL): A set of rules to protect your F5 Gateway.
Using the instructions provided in this guide, you can create a network firewall with all its elements, and apply it to your site or fleet of sites.
Prerequisites
-
A valid Account is required. If you do not have an account, see Create an Account.
-
F5 Gateway. For more information, see Site Management.
Configuration
Configuration Sequence
Configuring an application firewall requires performing the following sequence of actions:
Phase | Description |
---|---|
Create a Network Firewall | Create a network firewall with policies and fast ACLs that define the network rules. |
Apply Network Firewall on Fleet | Apply the network firewall to the fleet to protect the sites that are part of the fleet. |
Important: The creation of a network policy, a forward proxy policy, or a fast ACL is optional. However, it is recommended to protect your network by creating at least one.
Create Network Firewall
Perform the following to create a network firewall:
Step 1: Start network firewall object creation.
- Open the
F5® Distributed Cloud Console
homepage and select theMulti-Cloud Network Connect
service.
Figure: Homepage
-
Select
Manage
>Firewall
>Network Firewalls
in left menu. -
Select
Add Network Firewall
.
Figure: Add Network Firewall
- Enter
Name
, and addLabels
andDescription
as needed.
Figure: Add Network Firewall
Step 2: Configure forward proxy policy.
-
From the
Select Forward Policy Configuration
menu, select an option:-
Disable Forward Proxy Policy
: Default option. -
Active Forward Proxy Policies
: Select an existing policy from theForward Proxy Policies
menu.
-
Figure: Forward Policy Configuration
Step 2.1: Configure new forward proxy policy.
For more information, see the Network Firewall guide.
-
From the
Forward Proxy Policies
menu, clickAdd Item
. -
Enter
Name
, and addLabels
andDescription
as needed. -
From the
Select Forward Proxy
menu, select an option:-
All Forward Proxies on Site
: All the proxies configured. -
Network Connector
: Specific Network Connector. -
Network Connector Label Selector
: Label that selects network connector.
-
Figure: Proxies on Site Selection
-
From the
Select Policy Rules
menu, select an option:-
Allow all connections
: Allows all traffic. -
Allowed connections
: SelectAdd Item
underTLS Domains
orHTTP URLs
(or both), input information, and then selectApply
for connections to allow while everything else is denied. Select option fromDefault Action
drop-down menu. -
Denied connections
: SelectAdd Item
underTLS Domains
,HTTP URLs
, orL4 Destination List
or all, input information, and then selectApply
for connections to deny. Everything else will be allowed. Select option fromDefault Action
drop-down menu. -
Custom Rule List
: SelectConfigure
, input information, and then selectApply
to add a list of custom rules.
-
-
Select
Continue
to add a new forward proxy policy. -
To add more forward proxy policies, select
Add Item
.
Step 3: Enable firewall policy.
-
In the
Firewall Policy
section, perform the following:-
From the
Select Firewall Policy Configuration
menu, select an option to activate or disable network policies for your network firewall. You can activate a firewall policy or enable an enhanced firewall policy. For more information, see the Firewall Policies guide. -
From the
Firewall Policy
menu, select the firewall policy previously created.
-
Figure: Firewall Policy Configuration
-
To create a new firewall policy:
-
From the
Firewall Policy
menu, selectAdd Item
. -
Enter
Name
, and addLabels
andDescription
as needed. -
From the
Endpoint(s)
menu, select an option:-
IPv4i/IPv6 Prefix List
: ClickAdd Item
to add the prefix in the box that appears below. -
Any Endpoint
-
Endpoints Reachable via all Outside Interfaces
-
Endpoints Reachable via all Inside Interfaces
-
Label Selector
: ClickAdd Label
to define a label that identifies an endpoint.
-
-
Figure: Endpoint Selection
Step 4: Configure ingress and egress rules.
Configure ingress and egress rules for a network firewall.
Step 4.1: Configure ingress rules.
-
Select
Configure
inConnections To Policy Endpoints
section. -
Select
Add Item
. -
Enter
Name
. -
From the
Action
menu, choose to deny or allow for a rule match. -
Toggle
Show Advanced Fields
to showLogging Action
drop-down menu to select a logging option. -
From the
Select Other Endpoint
drop-down menu, select an option for the ingress source endpoint. -
From the
Select Type of Traffic to Match
drop-down menu, select the type of traffic to match. Default option matches all types of traffic. If you match for application traffic, select theApplication Protocols
to use. If you match for protocol and port ranges, select theProtocols
to use. -
Optionally, choose to match using label keys with
Add Item
inKeys
box. To add additional keys, selectAdd Item
. -
Select
Apply
to add the configuration rules. -
Select
Apply
to add the ingress rules.
Step 4.2: Configure egress rules.
-
Select
Configure
inConnections From Policy Endpoints
section. -
Select
Add Item
. -
Enter
Name
. -
From the
Action
menu, choose to deny or allow for a rule match. -
Toggle
Show Advanced Fields
to showLogging Action
drop-down menu to select a logging option. -
From the
Select Other Endpoint
drop-down menu, select an option for the egress source endpoint. -
From the
Select Type of Traffic to Match
drop-down menu, select the type of traffic to match. Default option matches all types of traffic. If you match for application traffic, select theApplication Protocols
to use. If you match for protocol and port ranges, select theProtocols
to use. -
Optionally, choose to match using label keys with
Add Item
inKeys
box. To add additional keys, selectAdd Item
. -
Select
Apply
to add the configuration rules. -
Select
Apply
to add the egress rules. -
Select
Continue
.
Step 5: Configure Fast ACL.
-
From the
Select Fast ACL Configuration
drop-down menu, select an option from the following:-
Disable Fast ACL
: Fast ACL is disabled for this network firewall. -
Active Fast ACL(s)
: Fast ACL is active for this network firewall. SelectFast ACL
drop-down menu to select corresponding Fast ACL. For more information, see Fast ACLs.
-
-
Select
Save and Exit
to complete configuration.
Apply Network Firewall to Fleet
After your network firewall is configured, you will need to apply it to your fleet so that the sites on that fleet are configured with the network firewall defined.
Step 1: Edit fleet configuration.
-
In the
Multi-Cloud Network Connect
service, clickManage
>Site Management
>Fleets
. -
Find your Fleet and select
...
>Manage Configuration
to open pop-up window to edit. -
Select
Edit Configuration
in upper-right corner of the pop-up window.
Step 2: Select network firewall object.
In the Network Firewall
section, from the Network Firewall
menu, select the firewall previously created.
Step 3: Complete configuration.
Select Save and Exit
.