Objective

This guide provides instructions on how to create a Network Firewall using the guided wizards in F5® Distributed Cloud Services. For more information on sites, see Site.

A Network Firewall is comprised of three elements:

A Forward Proxy Policy - L7 Policies applied when the F5 gateway is used in transit.
A Network Policy - L3-4 Policies applied to traffic ingressing, egressing, or originated on the F5 Gateway.
Fast ACL - Set of rules to protect your F5 Gateway.

Using the instructions provided in this guide, you will be able to create a network firewall, with all its elements, and apply to your site or fleet of sites.

Prerequisites

A valid Account is required.

Note: If you do not have an account, see Create an Account.

F5 Gateway

Note: For more information, see Site Management.

Configuration

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase	Description
Create a Network Firewall	Create a network firewall with policies and fast ACLs that define the network rules.
Apply Network Firewall on Fleet	Apply the network firewall to the fleet to protect the sites that are part of the fleet.

Note: Creation of network policy, forward proxy policy, or the fast ACL is optional. However, it is recommended to protect your network by creating at least one.

Create Network Firewall

Perform the following to create the network firewall with the network policy set, service policy set, and fast ACL set:

Features can be viewed, and managed in multiple services.

This example shows Network Firewall setup in Multi-Cloud Network Connect.

Step 1: Log into F5® Distributed Cloud Console, start Network Firewall object creation.

Open F5® Distributed Cloud Console homepage, select Multi-Cloud Network Connect box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

In System namespace, select Manage > Firewall > Network Firewalls in left menu.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Select Add Network Firewall button.

NETWORKFIREWALL 5 2 2 4 — Figure: Add Network Firewall

Enter Name, and add Labels and Description as needed in pop-up window.

HOWTO NETWORKFIREWALL 7 2 4 — Figure: Add Network Firewall

Step 2: Configure Forward Proxy Policies.

Select Forward Policy Configuration from drop-down menu options in Forward Proxy Policy section.
- Select Disable Forward Proxy Policy option if needed.
- Select Active Forward Proxy Policies option if needed.

HOWTO NETWORKFIREWALL 7 2 6 — Figure: Forward Policy Configuration

Active Forward Proxy Policies:

Select Create new forward proxy policy option in drop-down menu.
Select Item drop-down menu in Forward Proxy Policies.
Select + Add Item button.
Enter Name, and add Labels and Description as needed.
Select Forward Proxy option from drop-down menu in Proxy section.
- All Forward Proxies on Site: All the proxies configured.
- Network Connector: Specific Network Connector.
- Network Connector Label Selector: Label that selects Network Connector

Note: To add more Forward Proxy Policies select + Add Item button.

Select Policy Rules option from drop-down menu in Rules section.
- Allow all connections: Allows all traffic.
- Allowed connections: Select Configure under TLS Domains or HTTP URLs (or both), select + Add Item, input information, select Apply button for connections to allow while everything else is denied.
- Denied connections: Select Configure under TLS Domains, HTTP URLs, or L4 Destination List or all, select + Add Item, input information, select Apply button for Connections to deny, everything else will be allowed. Select Default Action drop-down.
- Custom Rule List, select Configure, input information, and select the Apply button to add a list of custom rules.
- Select Continue button to add Forward Proxy Policy, or Back button to return to Network firewall.

Step 3: Create Firewall Policies.

Go to Firewall Policy section in your Network Firewall pop-up window.
Select Firewall Policy Configuration in the drop-down menu to activate or disable network policies for your network firewall.

Select Item drop-down menu in Forward Proxy Policies.
Select + Add Item button.
Enter name, and add Labels and Description as needed.
Select Endpoints from drop-down menu options in Policy For Endpoints section:
- IPv4 Prefix List > Enter prefixes in box that appears below when selected.
- Any Endpoint
- Endpoints Reachable via all Outside Interfaces
- Endpoints reachable via all Inside Interfaces
- Label Selector > Select Expression from drop-down menu that appears below when selected to define a Label that identifies an Endpoint.

Step 4: Configure Ingress/Egress Rules.

Define what direction you want to apply your policies with ingress and egress rules.

Note: You need both Ingress and Egress rules for Network Firewall.

Ingress Rules:

Select Configure in Connections from Policy Endpoints section to configure Egress Rules.
Select + Add Item button.
Enter Name, select Action.
Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.
Select Other Endpoint drop-down menu.

Note: Options that require further information in drop down:IPv4 Prefix List, Label Selector, List IP Prefix Set.

Select Type of Traffic to Match drop-down menu to configure rule.

Note: Options that require further information in drop down: Match Application Traffic and Match Protocol and Protocol Ranges.

Match Application Traffic > select Application Protocols drop-down menu option: HTTP, HTTPS, SNMP, DNS.

Note You can select more than one or all Application Protocols options as needed.

Match Protocol and Protocol Ranges > select Protocols drop-down menu option: ALL, TCP, UDP, ICMP > enter List of Port Ranges.

Note To add additional List of Port Ranges, select + Add Item button.

Select + Add Item button in Order Keys Actions box to enter Keys.

Note To add additional keys if needed, select + Add Item button.

Select Apply button to add Ingress Rules to Network Policy.

Egress Rules:

Select Configure in Connections from Policy Endpoints section to configure Egress Rules.
Select + Add Item button.
Enter Name, select Action.
Toggle Show Advanced Fields in upper-right to show Logging Action drop-down option if needed.
Select Other Endpoint drop-down menu.

Note: Options that require further information in drop down:IPv4 Prefix List, Label Selector, List IP Prefix Set.

Select Type of Traffic to Match drop-down menu to configure rule.

Note: Options that require further information in drop down: Match Application Traffic and Match Protocol and Protocol Ranges.

Match Application Traffic > select Application Protocols drop-down menu option: HTTP, HTTPS, SNMP, DNS.

Note You can select more than one or all Application Protocols options as needed.

Match Protocol and Protocol Ranges > select Protocols drop-down menu option: ALL, TCP, UDP, ICMP > enter List of Port Ranges.

Note To add additional List of Port Ranges, select + Add Item button.

Select + Add Item button in Order Keys Actions box to enter Keys.

Note To add additional keys if needed, select + Add Item button.

Select Apply button to add Egress Rules to Network Policy.

NETWORKFIREWALL 9 2 4 — Figure: Ingress and Egress Rules Configurations

Note: When you create an active network policy, an implicit DENY ALL rule is inserted at the end. So if you are selecting traffic to DENY and you want everything else to be allowed, ensure to create, at the end of your policies, one last policy which allows ALL traffic.

Select Continue button or Back button to return to Network Policy pop-up window from the Network Policy pop-up window.

Step 5: Select Fast ACL Configuration.

Select Fast ACL Configuration option from drop-down menu in Fast Acl section in Network firewall pop-up page.
- Disable Fast ACL: Fast ACL is disabled for this network firewall.
- Active Fast ACL(s): Fast ACL Active for this network firewall.
  - Select Fast ACL drop-down menu to select corresponding Fast ACL.
Note: Learn more, Fast ACLs.
Select Save and Exit button to finish Network Firewall setup.

Apply Network Firewall on Fleet

When your network firewall is configured, you will need to apply it on your fleet so that the sites on that fleet are configured with the network firewall defined.

Step 1: Apply Network Firewall to Fleet.

Open Manage in left column menu > select Site Management > Fleets.
Find your Fleet, select ... > Manage Configuration to open pop-up window to edit.

Note: If form is not in editable form select Edit Configuration in upper-right corner of pop-up window.

Step 2: Select Network Firewall object.

Select Network Firewall option from drop-down menu in Fleet pop-up window.
Select Create new network firewall if needed.

Step 3: Select the Network Firewall you just created, and apply to your fleet.

Check box(s) of Network Firewalls you want to apply to your fleet.

Step 4: Complete Setup.

Select Save and Exit button.

Network Firewall

On This Page: