API Developer Portal
API Docs
Community
Knowledgebase
Training
menu icon
  1. Home
  2.  / How To
  3.  / Network Firewall
  4.  / Network Firewall

Network Firewall

On This Page:

Objective

This guide provides instructions on how to create a Network Firewall using the guided wizards in F5® Distributed Cloud Services. For more information on sites, see Site.

A Network Firewall consists of three elements:

  1. A Forward Proxy Policy: L7 Policies applied when the F5 gateway is used in transit.

  2. A Network Policy: L3-4 Policies applied to traffic ingressing, egressing, or originated on the F5 Gateway.

  3. Fast ACL: Set of rules to protect your F5 Gateway.

Using the instructions provided in this guide, you will be able to create a network firewall, with all its elements, and apply it to your site or fleet of sites.

Prerequisites

Configuration

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

PhaseDescription
Create a Network FirewallCreate a network firewall with policies and fast ACLs that define the network rules.
Apply Network Firewall on FleetApply the network firewall to the fleet to protect the sites that are part of the fleet.

Note: Creation of network policy, forward proxy policy, or the fast ACL is optional. However, it is recommended to protect your network by creating at least one.

Create Network Firewall

Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:

Features can be viewed, and managed in multiple services.

This example shows Network Firewall setup in Multi-Cloud Network Connect.

Step 1: Start Network Firewall object creation.
  • Open F5® Distributed Cloud Console homepage, select Multi-Cloud Network Connect service.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage > Firewall > Network Firewalls in left menu.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Network Firewall.
Figure
Figure: Add Network Firewall
  • Enter Name, and add Labels and Description as needed.
Figure
Figure: Add Network Firewall
Step 2: Configure forward proxy policy.

  • From the Select Forward Policy Configuration menu, select an option:

    • Disable Forward Proxy Policy: Default option.

    • Active Forward Proxy Policies: Select the policy from the Forward Proxy Policies menu.

Figure
Figure: Forward Policy Configuration

To create a new Active Forward Proxy Policies:

  • From the Forward Proxy Policies menu, click Add Item.

  • Enter Name, and add Labels and Description as needed.

  • From the Select Forward Proxy menu, select an option:

    • All Forward Proxies on Site: All the proxies configured.

    • Network Connector: Specific Network Connector.

    • Network Connector Label Selector: Label that selects Network Connector.

Figure
Figure: Proxies on Site Selection

  • From the Select Policy Rules menu, select an option:

    • Allow all connections: Allows all traffic.

    • Allowed connections: Select Add Item under TLS Domains or HTTP URLs (or both), input information, select Apply for connections to allow while everything else is denied. Select option from Default Action drop-down menu.

    • Denied connections: Select Add Item under TLS Domains, HTTP URLs, or L4 Destination List or all, input information, select Apply for connections to deny, everything else will be allowed. Select option from Default Action drop-down menu.

    • Custom Rule List: Select Configure, input information, and select the Apply to add a list of custom rules.

  • Select Continue to add new forward proxy policy.

Note: To add more forward proxy policies, select Add Item.

Step 3: Enable firewall policy.

  • In the Firewall Policy section, perform the following:

    • From the Select Firewall Policy Configuration menu, select an option to activate or disable network policies for your network firewall. You can activate a firewall policy or enable an enhanced firewall policy. For more information, see the Firewall Policies guide.

    • From the Firewall Policy menu, select the firewall policy previously created.

Figure
Figure: Firewall Policy Configuration

  • To create a new firewall policy:

    • From the Firewall Policy menu, select Add Item.

    • Enter Name, and add Labels and Description as needed.

    • From the Endpoint(s) menu, select an option:

      • IPv4i/IPv6 Prefix List: Click Add Item to add the prefix in the box that appears below.

      • Any Endpoint

      • Endpoints Reachable via all Outside Interfaces

      • Endpoints Reachable via all Inside Interfaces

      • Label Selector: Click Add Label to define a label that identifies an endpoint.

Figure
Figure: Endpoint Selection
Step 4: Configure ingress/egress rules.

Define what direction you want to apply your policies with ingress and egress rules.

Note: You need both ingress and egress rules for a network firewall.

Ingress Rules:

  • Select Configure in Connections from Policy Endpoints section to configure Egress Rules.

  • Select + Add Item button.

  • Enter Name, select Action.

  • Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.

  • Select Other Endpoint drop-down menu.

Note: Options that require further information in drop down:IPv4 Prefix List, Label Selector, List IP Prefix Set.

  • Select Type of Traffic to Match drop-down menu to configure rule.

Note: Options that require further information in drop down: Match Application Traffic and Match Protocol and Protocol Ranges.

  • Match Application Traffic > select Application Protocols drop-down menu option: HTTP, HTTPS, SNMP, DNS.

Note You can select more than one or all Application Protocols options as needed.

  • Match Protocol and Protocol Ranges > select Protocols drop-down menu option: ALL, TCP, UDP, ICMP > enter List of Port Ranges.

Note To add additional List of Port Ranges, select + Add Item button.

  • Select + Add Item button in Order Keys Actions box to enter Keys.

Note To add additional keys if needed, select + Add Item button.

  • Select Apply button to add Ingress Rules to Network Policy.

Egress Rules:

  • Select Configure in Connections from Policy Endpoints section to configure Egress Rules.

  • Select + Add Item button.

  • Enter Name, select Action.

  • Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.

  • Select Other Endpoint drop-down menu.

Note: Options that require further information in drop down:IPv4 Prefix List, Label Selector, List IP Prefix Set.

  • Select Type of Traffic to Match drop-down menu to configure rule.

Note: Options that require further information in drop-down: Match Application Traffic and Match Protocol and Protocol Ranges.

  • Match Application Traffic > select Application Protocols drop-down menu option: HTTP, HTTPS, SNMP, DNS.

Note You can select more than one or all Application Protocols options as needed.

  • Match Protocol and Protocol Ranges > select Protocols drop-down menu option: ALL, TCP, UDP, ICMP > enter List of Port Ranges.

Note To add additional List of Port Ranges, select + Add Item button.

  • Select + Add Item button in Order Keys Actions box to enter Keys.

Note To add additional keys if needed, select + Add Item button.

  • Select Apply button to add Egress Rules to Network Policy.
Figure
Figure: Ingress and Egress Rules Configurations

Note: When you create an active network policy, an implicit DENY ALL rule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.

  • Select Continue button or Back button to return to Network Policy pop-up window from the Network Policy pop-up window.
Step 5: Select Fast ACL Configuration.

  • Select Fast ACL Configuration option from drop-down menu in Fast Acl section in Network firewall pop-up page.

    • Disable Fast ACL: Fast ACL is disabled for this network firewall.

    • Active Fast ACL(s): Fast ACL Active for this network firewall.

      • Select Fast ACL drop-down menu to select corresponding Fast ACL.

    Note: Learn more, Fast ACLs.

  • Select Save and Exit button to finish Network Firewall setup.

Apply Network Firewall on Fleet

After your network firewall is configured, you will need to apply it on your fleet so that the sites on that fleet are configured with the network firewall defined.

Step 1: Apply Network Firewall to Fleet.

  • Open Manage in left column menu > select Site Management > Fleets.

  • Find your Fleet, select ... > Manage Configuration to open pop-up window to edit.

Note: If form is not in editable form select Edit Configuration in upper-right corner of pop-up window.

Step 2: Select Network Firewall object.

  • Select Network Firewall option from drop-down menu in Fleet pop-up window.

  • Select Create new network firewall if needed.

Step 3: Select the Network Firewall you just created, and apply to your fleet.

Check box(s) of Network Firewalls you want to apply to your fleet.

Step 4: Complete configuration.
  • Select Save and Exit.

Concepts

API References

© 2024 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information |