Forward Proxy Policies

Objective

This guide provides instructions on how to create a forward proxy policy using the guided wizards in F5® Distributed Cloud Services. The forward policies applied when the F5 gateway is used in transit.

Using the instructions provided in this document, you can create forward proxy policies with policy rules controlling the traffic to secure your network.


Prerequisites

  • A valid account Account is required.

Note: If you do not have an account, see Create an Account.

  • One or more cloud or edge locations with F5 Sites.

Note: Install the F5 node or cluster image in your Cloud or Edge location.


Configuration


Create Forward Proxy Policy

Forward proxy policies can be viewed and managed in multiple services: Cloud and Edge Sites, Distributed Apps, and Load Balancers.

This example shows Forward Proxy Policies setup in Cloud and Edge Sites.

Step 1: Open Network Policy Configuration.
  • Open F5® Distributed Cloud Console homepage, select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage in left column menu > select Firewall > Forward Proxy Policies.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Forward proxy policy button.

NETWORKFIREWALL NETWORKPROXYPOLICIES 7
Figure: Forward Proxy Policies

Step 2: Create Policy and Configure Proxy.
  • Enter Name, enter Labels and Description as needed.

  • Select Forward Proxy drop-down menu in Proxy box options:

    • All Forward Proxies on Site: All the proxies configured.

    • Network Connector > Select Network Connector in drop-down menu to a specific network connector.

    • Network Connector Label Selector > Selector Expression label in drop-down menu to identify label selection for network connector.

NETWORKFIREWALL NETWORKPROXYPOLICIES 8
Figure: Create Policy and Configure Proxy

Step 3: Configure Policy Rules.
  • Select Policy Rules in Rules section drop-down options:
Allow all connections

This option allows all traffic

Allowed connections: Connections to allow, everything else is denied.
  • Configure connection options:

    • TLS Domains: Select + Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains > Enter value in box below to match domains > Select Add Item button.

    • HTTP URLs: Select + Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains > Enter value in box below to match domains. Enter Path drop down option, Select Add Item button.

    Note: If L4 Destination List and Default Action options don't appear select Show Advanced Fields toggle located in upper-right corner of Rules section.

    • L4 Destination List: Select + Add item > Enter Prefixes in box > Select + Add Item to add additional prefixes > Enter Port Ranges > select Add Item button.

    • Select Default Action drop-down menu option: Next Policy, Deny, or Allow.

Denied connections: Connections to deny, everything else will be allowed.

Configure connections options:

  • TLS Domains: Select + Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains > Enter value in box below to match domains > Select Add Item button.

  • HTTP URLs: Select + Add item > Select Enter Domain drop-down menu option: Exact Value, Suffix Value, or Regex Values of Domains > Enter value in box below to match domains. Enter Path drop down option, Select Add Item button.

Note: If L4 Destination List and Default Action options don't appear select Show Advanced Fields toggle located in upper-right corner of Rules section.

  • L4 Destination List: Select + Add item > enter Prefixes in box > select + Add Item to add additional prefixes > enter Port Ranges > select Add Item button.

  • Select Default Action drop-down menu option: Next Policy, Deny, or Allow.

Custom Rule List: List of custom rules.
  • Select Configure link in Custom Rule List box.

  • In Custom Rule List new window configure items.

  • Select + Add item.

  • Enter Name and Description as needed.

  • Select Action drop-down menu option: Deny or Allow.

  • Select Connection Source drop-down menu in Source box options:

    • All Sources to apply the rule to all source endpoints.

    • IPv4 Prefix List to specify IPv4 prefixes and enter the prefixes in the IPv4 Prefix List field. You can use + Add item to add more than one list.

    • Source Label Selector and enter a label in the Selector Expression field. The key-value combination of the label determines the source end points.

    • IP Prefix Set to specify a prefix set and select the prefix set from the drop-down list for the IP Prefix Set field. You can also create a new prefix set using the Create new ip prefix set option in the drop-down list.

  • Select Destination Choice drop-down menu option:

    • All Destinations to apply the rule to all destination endpoints.

    • TLS Domains to specify the HTTPS domains to which the rule applies. Select + Add item button. Select an option from the drop-down list of the Enter Domain field, and set a HTTPS domain in the displayed option. Enter Exact Value in box. You can specify the exact domain name or a suffix or specify regular expression to match domains. Select Add Item button.

    • HTTP URLs to specify the HTTP URLs to which the rule applies. Select + Add item button. Select an option from the drop-down list of the Enter Domain field, and set an URL in the displayed option. You can specify the exact URL, or a suffix or specify regular expression to match URL. Select Enter Path drop-down menu options, select Add Item button.

    • IPv4 Prefix List to specify the IPv4 prefix to which the rule applies. Select Configure link > enter List of Prefixes > + Add Item if needed > select Apply button.

    • IP Prefix Set Select IP Prefix Set drop-down menu options to specify the IP Prefix set to which the rule applies. You can Create new IP prefix set if needed and configure metadata.

    • BGP ASN List to specify the BGN ASN list to which the rule applies. Select Configure link > enter AS numbers in box, + Add item as needed, select Apply button.

    • Select Add Item to apply the custom rule list to the forward proxy policy configuration.

    • Select Apply button to return to Custom Rule List page.

    FORWARDPROXYPOLICES RULEOPTIONS4
    Figure: Configure Policy Rules

    • Select Apply button.

Note: You can add more rules using the + Add item option.

Denied Connections Example:

FORWARDPROXYPOLICY DENIED1
Figure: Policy Rules Configuration

FORWARDPROXYPOLICIES DENIED2
Figure: TLS Domains for Deny Connections

Step 4: Complete Forward Proxy Policy creation.
  • Select Save and Exit button.

  • Verify forward proxy policy is displayed in Manage > Firewall > Forward Proxy Policy view.

Step 5: Attach Policy to Network Firewall.

After creating the forward proxy policy, you can attach it to the network firewall.

  • Select Manage > Firewall > Network Firewalls.

  • Select ... > Edit for your firewall from the displayed list.

  • Go to Forward Proxy Policy section, select Active Forward Proxy Policies in the Select Forward Proxy Policy Configuration drop-down menu.

  • Select the created forward proxy policy from the List of Forward proxy policy drop-down menu in the Forward Proxy Policy section.

FORWARDPROXYPOLICIES DENIED4
Figure: Attach Policy to Network Firewall

Note: You can add multiple policies using the Add item option.

Step 6: Verify Forward Proxy Policy Operation.
  • Select Manage > Firewall > Forward Proxy Policies.

  • Check the Hits field for the displayed list of forward proxy policies. This indicates how many times network policy is applied to the traffic.

  • Select the value of Hits to display the which rules are applied and how many times they are applied.

Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.


Concepts


API References