Fast ACLs

Objective

This guide provides instructions on how to configure F5® Distributed Cloud Services Fast Access Control Lists (ACL). A Fast ACL protects F5 sites from the Denial of Service (DoS) attacks, and can be applied to both Customer Edge (CE) site and Regional Edge (RE) sites. For more information on F5 sites, see Sites.

Using the F5® Distributed Cloud Console Fast ACLs, you can block traffic from specific sources, or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.

The F5 Fast ACL consists of the following types of objects:

  • Fast ACLs - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer. A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.

  • Fast ACLs for Internet VIPs - The set combines one or more Fast ACLs and is applied on a RE site.

Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.

Note: If none of the rules match, then default action is to forward the packet.


Prerequisites

The following prerequisites apply:

  • A F5 CE site in case of applying the fast ACLs on CE site.
  • Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
  • A fleet in case of applying the fast ACLs on CE site.
  • Note: See Create Fleet guide for instructions on creating fleet.
  • An application deployed using F5 vK8s, or served using the HTTP load balancer.

Configuration

Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

CnfSeqCE
Figure: Fast ACL Configuration Sequence For CE Site

Applying Fast ACLs for an RE site requires you to create the Fast ACLs for Internet VIPs object with the Fast ACLs objects. The following image illustrates the sequence of applying Fast ACLs to a RE site:

CnfSeqRE
Figure:Fast ACL Configuration Sequence For RE Site

Creating Fast ACLs and applying on CE site requires you to create Fast ACL object with the rules in F5® Distributed Cloud Console, and applying it in the network firewall that is associated with a fleet. The fleet label is then applied to the CE site for which you want to apply the Fast ACLs.

Note: You can create and apply fast ACLs and network firewall as part of fleet creation itself. Alternatively, you can create fast ACLs and apply them to existing network firewall that is associated with an existing fleet.


Configure Fast ACLs

Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.

In case of RE site, creating Fast ACLs and Fast ACLs for Internet VIPs is sufficient.

Note: This example assumes that you have an application provisioned using a F5® Distributed Cloud Console HTTP load balancer, and another application deployed using F5 vK8s.

Fast ACLs can be viewed and managed in multiple services: Cloud and Edge Sites, and DDoS & Transit Services.

This example shows Fast ACL setup in Cloud and Edge Sites.

Step 1: Start Fast ACL creation.
  • Open F5® Distributed Cloud Console homepage, select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage > Cloud and Edge Sites

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage in left column menu > Firewall > Fast ACLs > Add Fast ACL button.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

FASTACLS2
Figure: Fast ACLs

Step 2: Configure Site Type.
  • Enter Name, and Labels and Descriptions as needed.

Go to Fast ACL Type section and do the following:

  • Select an option for the Select Site Type For acl field. Select Site Type Customer Edge for CE sites and Site Type Regional Edge for RE sites.

  • Select Configure under the Site Type Customer Edge or Site Type Regional Edge field as per your site type selection. Configure the Destination section according to the site type selection. Do one of the following:

NETWORKFIREWALL FASTACLS 6
Figure: Fast ACL Creation

Step 2.1: Site Type Customer Edge.
  • Select Network in Destination box with drop-down options.

    • Inside Network

    • Outside Network

  • Select Destination IP drop-down box option in Destination section.

    • Select All Interface IP(s) as VIP to match all IP addresses assigned to the interfaces.

    • Select Configured VIP(s) to match configured VIPs for the destinations.

    • Select All VIP(s) to match all interface VIPs and configured VIPs.

NETWORKFIREWALL FASTACLS 8
Figure: Site Type CE Destination Configuration

Step 2.2: Site Type Regional Edge.

Select an option for the Select VIP(s) field as per the following guidelines:

  • All Public VIP(s): To apply the fast ACL to all VIPs for the destinations.

  • Default Tenant VIP: To apply the fast ACL to the default VIP of the tenant.

FASTACLS RE 8 2
Figure: Site Type RE Destination Options

  • List of Specific VIP(s):

    • Optionally, enable the Include Tenant VIP option.

    • Select one or more public IPs for the Select Public VIP(s) field. You can add more than one entries using the + Add item option.

Note: Public IPs are prerequisite for the List of specific VIP(s) option.

Step 3: Configure Source Rules.
  • Select ^ to drop-down Source section.

  • Select blue highlighted Configure link in Rules section.

  • Select + Add Item in Rules section.

FASTACLS SOURCERULES
Figure: Source Rules Configuration

  • Enter Name, and Description as needed.

FASTACLS RULES1
Figure: Fast ACL Rules Configuration

Step 3.1: Configure an action.
  • Select Action drop-down menu.

  • Select Action option:

    • Simple Action > select Simple Action drop-down option Deny or Allow.

    Note: This creates a rule that rejects or allows traffic from the configured source.

    • Policer Action > select Select policer drop-down option to select and apply existing policer or + Create new policer.

    Note: This applies rate limiting for traffic originating from the configured source.

    • Select Protocol Policer Action > Select protocol policer drop-down option to select and apply an existing protocol policer or + Create new protocol policer.

      Note: This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.

FASTACL RULES2
Figure: Fast ACL Action Configuration

Note: Before applying policer or protocol policer, it is required to create them using the Policer or Protocol Policer options in the Security configuration.

Step 3.2: Set Source Ports.

Go to the Source Ports section, and configure the Port Value Type as per the following guidelines:

  • Select Ports or + Add Item in Source Ports section of Fast ACL Rules page.

  • Select Port Value Type options from drop-down menu.

    • Select All port to match all source ports.

    • Select User defined port, User defined port with a port number. Select ^ to adjust number.

    • Select DNS port to match DNS port (53).

  • Select Add Item button to set Port Value Type if adding new item.

FASTACLS PORTVALUETYPE4
Figure: Fast ACL Source Ports

Note: Use Add item option to add more ports.

Step 3.3: Set Source Prefix or Prefix Set.
  • Select Prefix or IP prefix set in Source drop-down menu.

  • Enter IP prefix or IP prefix set accordingly using the Prefix or Select ref options.

Note: This example adds a prefix using the Prefix option.

FASTACLS3 3
Figure: Fast ACL Rule Creation

Note: Use + Add item option to add more rules.

  • Select Add Item button to add the source rules, and return to site type configuration form.

  • Select Apply button to return to the fast ACL configuration form.

Step 4: Validate Fast ACL creation.
  • Open Fast ACL Protocol Policer section.

  • Select a protocol policer, or select Create new protocol policer in Default Protocol Policer section.

Note: If you select Create new protocol policer option, select Continue button in the new protocol policer configuration page after configuring all the fields to create the policer apply, and return to the fast ACL configuration form.

  • Select Save and Exit button in the fast ACL configuration form. This creates the fast ACL object.

Note: In case of RE sites, there could be rule overlapping due to the following:

  • The ves.io tenant and non ves.io tenant create rules for same destination.
  • ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant.

The conflict due to the overlapping is addressed using the following mechanism:

  1. Any rule which has action DENY has highest priority irrespective of tenant.
  2. If action is not DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.

Create Fast ACLs for Internet VIPs

Applying Fast ACLs for RE sites require you to create the Fast ACLs for Internet VIPs object, and associate the Fast ACL objects with it. You can either attach an existing Fast ACL object for RE site or create a new Fast ACL object from within the Fast ACLs for Internet VIPs object. This example shows attaching existing Fast ACL object.

Perform the following to create and apply Fast ACLs to RE sites:

Step 1: Start Fast ACLs for Internet VIPs object creation.
  • Open F5® Distributed Cloud Console homepage, select DDoS & Transit Services box.

NEW HOME PAGE C
Figure: Homepage > DDoS & Transit Services

  • Select Manage in left column menu > select Fast ACLs for Internet VIPs.

FASTACLS INTERNETVIPS B
Figure: Fast ACLs

Step 2: Attach Fast ACL objects.
  • Select fast ACL objects from displayed list. You can also select Add new option to create, and attach new Fast ACLs.

Note: In case you create new Fast ACL using the Add new option, select Continue in the Fast ACL configuration form to create and attach to the Fast ACLs for Internet VIPs configuration.

  • Select fast ACL to attach the Fast ACL object to the Fast ACLs for Internet VIPs object configuration.
Step 3: Complete creating Fast ACLs for Internet VIPs object.

Select Save and Exit button to complete creating the Fast ACLs for Internet VIPs object.


Apply Fast ACLs to a CE Site

Fast ACLs created for a CE site requires you to add the Fast ACL to the network firewall associated with the fleet which includes that CE site. See Create a Fleet for information fleet creation. See Network Firewall for information on firewall creation. This example shows how to apply fast ACL to an existing firewall associated with a fleet of sites.

To enable fast ACLs for a CE site, perform the following actions:

Step 1: Navigate to the network firewall and edit its configuration.
  • Open F5® Distributed Cloud Console homepage, select Cloud and Edge Sites box.

NEW HOME PAGE C
Figure: Homepage > Cloud and Edge Sites

  • Select Manage in left column menu > Firewall > Network Firewall > select ... > Edit for your firewall that is part of the fleet to which your site belongs.

FASTACLS2
Figure: Fast ACLs

Step 2: Attach the fast ACLs to network firewall and save configuration.
  • Open Fast ACL section in the firewall configuration.

  • Select Active Fast ACL(s) for the Select Fast ACL Configuration section.

  • Select a Fast ACL or fast ACL set accordingly from the displayed selection field.

Note: This example selects an existing fast ACL.

FASTACLS5 3
Figure: Apply Fast ACL to Network Firewall

  • Select Save and Exit button.

Concepts


API References