Network Firewall

Objective

This guide provides instructions on how to create a Network Firewall using the guided wizards in F5® Distributed Cloud Services. For more information on sites, see Site.

A Network Firewall is comprised of three elements:

  1. A Forward Proxy Policy - L7 Policies applied when the F5 gateway is used in transit.

  2. A Network Policy - L3-4 Policies applied to traffic ingressing, egressing, or originated on the F5 Gateway.

  3. Fast ACL - Set of rules to protect your F5 Gateway.

Using the instructions provided in this guide, you will be able to create a network firewall, with all its elements, and apply to your site or fleet of sites.


Prerequisites

Note: If you do not have an account, see Create an Account.

  • F5 Gateway

Note: For more information, see Site Management.


Configuration

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase Description
Create a Network Firewall Create a network firewall with policies and fast ACLs that define the network rules.
Apply Network Firewall on Fleet Apply the network firewall to the fleet to protect the sites that are part of the fleet.

Note: Creation of network policy, forward proxy policy, or the fast ACL is optional. However, it is recommended to protect your network by creating at least one of the objects.


Create Network Firewall

Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:

Features can be viewed, and managed in multiple services.

This example shows Network Firewall setup in Cloud and Edge Sites.

Step 1: Log into F5® Distributed Cloud Console, start Network Firewall object creation.
  • Open F5® Distributed Cloud Console homepage, select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • In System namespace, select Manage > Firewall > Network Firewalls in left menu.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Network firewall button.

NETWORKFIREWALL 5 22
Figure: Add Network Firewall

  • Enter name, and add Labels and Description as needed in pop-up window.

HOWTO NETWORKFIREWALL 7 2
Figure: Add Network Firewall

Step 2: Configure Forward Proxy Policies.
  • Select Forward Policy Configuration from drop-down menu options in Forward Proxy Policy section.

    • Select Disable Forward Proxy Policy option if needed.

    • Select Active Forward Proxy Policies option if needed.

HOWTO NETWORKFIREWALL 7 2
Figure: Forward Policy Configuration

Active Forward Proxy Policies:

  • Select Create new forward proxy policy option in drop-down menu.

  • Select All Forward Proxies on Site in pop-up window in Proxy section.

  • Enter name, and add Labels and Description as needed.

  • Select Forward Proxy option from drop-down menu in Proxy section.

    • All Forward Proxies on Site: All the proxies configured.

    • Network Connector: Specific Network Connector.

    • Network Connector Label Selector: Label that selects Network Connector.

NETWORKFIREWALL 9 2
Figure: Proxies on Site Selection

  • Select Policy Rules option from drop-down menu in Rules section.

    • Allow all connections: Allows all traffic.

    • Allowed connections: Select Configure under TLS Domains or HTTP URLs (or both), select + Add Item, input information, select Apply button for connections to allow while everything else is denied.

    • Denied connections: Select Configure under TLS Domains, HTTP URLs, or L4 Destination List or all, select + Add Item, input information, select Apply button for Connections to deny, everything else will be allowed. Select Default Action drop-down.

    • Custom Rule List, select Configure, input information, and select the Apply button to add a list of custom rules.

    • Select Continue button to add Forward Proxy Policy, or Back button to return to Network firewall.

NETWORKFIREWALL 9 2
Figure: Selecting Denied Connections on the Policy Rules Menu

Step 3: Create Firewall Policies.
  • Go to Firewall Policy section in your Network Firewall pop-up window.

  • Select Firewall Policy Configuration in the drop-down menu to activate or disable network policies for your network firewall.

NETWORKFIREWALL 9 2
Figure: Firewall Policy Configuration

  • Select Firewall Policy Configuration drop-down menu to configure a new policy.

  • Select Create new Firewall Policy view button in drop-down menu.

  • Enter name, and add Labels and Description as needed.

  • Select Endpoints from drop-down menu options in Policy For Endpoints section:

    • IPv4 Prefix List, Enter prefixes in box that appears below when selected.

    • Any Endpoint

    • Endpoints Reachable via all Outside Interfaces

    • Endpoints reachable via all Inside Interfaces

    • Label Selector, Select Expression from drop-down menu that appears below when selected to define a Label that identifies an Endpoint.

NETWORKFIREWALL 9 2
Figure: Endpoint selection - IPv4 Prefix List and the prefix

Step 4: Configure Rules.

Define what direction you want to apply your policies with ingress and egress rules.

Ingress Rules:

  • Select Configure in Connections To Policy Endpoints section to configure Ingress Rules.

  • Select + Add Item button.

  • Enter Name, select Action, Select Other Endpoint, Select Type of Traffic to Match drop-down menus to configure rule.

  • Select + Add Item button under Label Matcher to identify label keys to facilitate reuse of policies.

  • Select + Add Item button located in lower-bottom of screen to add another Ingress Rule.

  • Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.

  • Select Apply button to add Ingress Rules to Network Policy.

Egress Rules:

  • Select Configure in Connections from Policy Endpoints section to configure Egress Rules.

  • Select + Add Item button.

  • Enter Name, select Action, Select Other Endpoint, Select Type of Traffic to Match drop-down menus to configure rule.

  • Select + Add Item button under Label Matcher to identify label keys to facilitate reuse of policies.

  • Select + Add Item button located in lower-bottom of screen to add another Egress Rule.

  • Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.

  • Select Apply button to add Egress Rules to Network Policy.

NETWORKFIREWALL 9 2
Figure: Ingress and Egress Rules Configurations

Note: When you create an active network policy, an implicit DENY ALL rule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.

  • Select Continue button or Back button to return to Network Policy pop-up window from the Network Policy pop-up window.
Step 5: Select Fast ACL Configuration.
  • Select Fast ACL Configuration option from drop-down menu in Fast Acl section in Network firewall pop-up page.

    • Disable Fast ACL: Fast ACL is disabled for this network firewall.

    • Active Fast ACL(s): Fast ACL Active for this network firewall.

  • Select Save & Exit button to finish Network Firewall setup.

Apply Network Firewall on Fleet

When your network firewall is configured, you will need to apply it on your fleet so that the sites on that fleet are configured with the network firewall defined.

Step 1: Apply Network Firewall to Fleet.
  • Open Manage in left column menu > select Site Management > Fleets.

  • Find your Fleet, select ... > Manage Configuration to open pop-up window to edit.

Note: Select Edit Configuration in upper-right corner of pop-up window if form is not in editable form.

Step 2: Select Network Firewall object.
  • Select Network Firewall option from drop-down menu in Fleet pop-up window.

  • Select Create new network firewall if needed.

Step 3: Select the Network Firewall you just created, and apply to your fleet.

Check box(s) of Network Firewalls you want to apply to your fleet.

Step 4: Select Save and Exit.

Concepts


API References