Solutions

Products

Community

Support

Partners

Education

About Us

Support

My Account

Self-Help

Documentation

Services

Downloads

AskF5 Home

Products

BIG-IP LTM

BIG-IP Data Center Firewall Configuration Guide

Traffic Listeners

Applies To:
Show Versions

Manual Chapter: Traffic Listeners

Table of Contents | << Previous Chapter | Next Chapter >>

Overview
Part of configuring the BIG-IP system to be a data center firewall is to create virtual servers
and SNATs. For some virtual servers, you can create iRules that filter traffic based on specific
user-defined criteria.

Virtual server configuration

To complete the deployment of a BIG-IP data center firewall, you must set up your virtual
server configuration. A virtual server is an IP address and port specification on the BIG-IP
system. The BIG-IP system listens for traffic destined for that virtual server, and then directs
that traffic either to a specific host for load balancing or to an entire network.
A virtual server provides a level of security, similar to an access control list (ACL), because
its destination address includes a port specification, causing the virtual server to accept only
traffic destined for that port.
When you create a virtual server, you can optionally assign an iRule that functions as another
layer of security, filtering out specific unwanted traffic or allowing specific traffic destined
for that virtual server. The virtual server emulates a traditional ACL, while the iRule
customizes the virtual server even further by filtering out or allowing individual source IP
addresses and ports that you specify.

Example 1
This example shows an ACL that you can logically implement using a host virtual server with
an assigned iRule. In this example, the virtual server has a destination host address of
204.170.25.11:80, with an iRule specifying that only traffic originating from the network
204.170.0.0/24 is allowed:
allow src 204.170.0.0/24 port 80 dst 204.170.25.11 port 80 deny all
In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for
host 204.170.25.11:80 is accepted and load balanced, according to the virtual server
configuration. The virtual server denies all other traffic.

Example 2
This example shows an ACL that you can logically implement using a network virtual server
with an assigned iRule. In this example, the virtual server has a destination network address
of 204.170.25.0:80, with an iRule specifying that only traffic originating from the network
204.170.0.0/24 is allowed:
allow src 204.170.0.0/24 port 80 dst 204.170.25.0 port 80 deny all

In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for
network 204.170.25.0:80 is accepted and forwarded to that network. The virtual server
denies all other traffic.
You can find additional examples of how to create a comprehensive iRule for these scenarios
on the F5 Networks DevCentral web site http://www.devcentral.f5.com.

Creating a Services profile within LTM

One of the Layer 7 tasks that you perform to configure BIG-IP Local Traffic Manager as a
data center firewall is to create one or more custom application-layer profiles. You create a
unique profile for each type of application traffic, and then assign the profile to a virtual
server that specifies that particular service. For example, if the BIG-IP data center firewall
must handle HTTP traffic, you can create a custom HTTP profile and then assign that profile
to a virtual server that listens for traffic on port 80 on the BIG-IP system. This particular
procedure creates an HTTP profile. You can use a variation of this task to create other profiles
as well, such as an FTP or SMTP profile.
Important: You can create as many profiles as you need.
1. On the Main tab, click Local Traffic > Profiles > Services > HTTP . The HTTP profile
list screen opens.
2. Click Create. The New HTTP Profile screen opens.
3. In the Name field, type a name for the profile. Names must begin with a letter, and
can contain only letters, numbers, and the underscore (_) character.
4. From the Parent Profile list, retain http.
5. Select the Custom check box. The fields in the Settings area become available for
revision.
6. Adjust all settings as required. You can use the default values or change them to suit
your needs.
7. Click Finished.
A custom BIG-IP LTM profile now appears in the relevant profile list in the BIG-IP
Configuration utility.
After creating this profile, you must assign the profile to a virtual server.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you
group together to receive and process traffic) to efficiently distribute the load on your server
resources.
Note: You must create the pool before you create the corresponding virtual server.
1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

2. Click Create. The New Pool screen opens.

3. In the Name field, type a unique name for the pool.
4. For the Health Monitors setting, in the Available list, select a monitor type, and click
<< to move the monitor to the Active list.
Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
5. From the Load Balancing Method list, select how the system distributes traffic to
members of this pool. The default is Round Robin.
6. For the Priority Group Activation setting, select the way to handle priority groups:
o Retain the default option, Disabled to disable priority groups.
o Select Less than, and type the minimum number of members in the Available
Members field that must remain available in each priority group in order for
traffic to remain confined to that group.
7. Using the New Members setting, add each resource that you want to include in the
pool:
o Either type an IP address in the Address field, or select a node address from
the Node List.
o Type a port number in the Service Port field, or select a service name from the
list.
o To specify a priority group, type a priority number in the Priority field.
o Click Add.
b. Click Finished.
The load balancing pool appears in the Pools list.

Creating an iRule
Use this procedure to create an iRule.
1. On the Main tab, click Local Traffic > iRules.
2. Click Create. The New iRule screen opens.
3. In the Name field, type a 1- to 31-character name, such as virtual_acl_irule.

4. In the Definition field, type the syntax for the iRule, using Tool Command Language
(Tcl) syntax. For complete and detailed information on iRules syntax, see the F5
Networks DevCentral web site http://devcentral.f5.com.
5. Click Finished.

Host virtual servers

A host virtual server listens for traffic destined for a specific site, such as an Internet web site
or an FTP site, and then directs that traffic to content servers that are members of a pool. A
host virtual server provides a level of security, similar to an access control list (ACL),
because its destination address includes a port specification, causing the virtual server to
accept only traffic destined for that port.
Creating a host virtual server
Use this task to create a standard, host type of virtual server for application traffic. A host
type of virtual server listens for traffic destined for the specified destination IP address and
service. You must create a separate virtual server for each destination IP address/service
combination. For example, if you want the BIG-IP firewall device to handle HTTP, SMTP,
and FTP traffic, and you want to use the virtual address 204.170.25.11, you create three
separate virtual servers: 204.170.25.11:80, 204.170.25.11:25, and 204.170.25.11:21 on the
BIG-IP data center firewall.
1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen
displays a list of existing virtual servers.
2. Click the Create button. The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. For the Destination setting, in the Address field, type the host IP address that you want
to use for the virtual server. This is the IP address on the BIG-IP system to which
inbound application traffic is destined.
5. In the Service Port field, type a port number or select a service name from the Service
Port list.
6. Assign any LTM traffic profiles as needed.
7. From the Configuration list, select Advanced.
8. From the Request Logging Profile list, select the custom request logging profile that
you created earlier.
9. Locate the Resources area of the screen.
10. For the iRules setting, from the Available list, select the name of the iRule that you
want to assign, and using the Move button, move the name into the Enabled list. This
step is optional.

11. From the Default Pool list, select the name of the pool that you created previously.
12. Click Finished.
The BIG-IP system now listens for traffic destined for the specified destination IP address
and service, and applies all assigned profiles and any load balancing pool. Also, all log
messages pertaining to the application traffic are logged to the pool of remote logging servers
specified in the assign Request Logging profile.
Example 1: Host virtual server configurations
This example shows the BIG-IP data center firewall also functioning as an application
delivery controller (ADC). In the illustration shown, the BIG-IP system contains two host
virtual servers (FTP VIP and App VIP) to perform application delivery controller (ADC)
functions, while still providing security. Specifically, the two virtual servers perform these
functions:

Load balancing traffic to FTP resources

Load balancing traffic to internal ADCs that handle specific applications. (The
illustration shows one internal ADC named App ADC.)

The benefit of the first function is that you do not need to position the BIG-IP data center
firewall between two ADCs before sending traffic to the internal resources. This simplifies
the management of the environment.
The second function illustrates the same benefit but also shows that the BIG-IP system can
load balance the request to an internal ADC that is handling the more specialized tasks
required for an application, such as web acceleration, compression, caching, or web
optimization.

Host virtual
server configurations

Network virtual servers

A network virtual server listens for traffic destined for a specific network and simply
forwards that traffic to that network. A network virtual server provides a level of security
because its destination network address includes a port specification, causing the virtual
server to accept only traffic destined for that port on the specified network.
Creating a network virtual server
Use this task to create a standard, network type of virtual server for application traffic. A
network type of virtual server listens for traffic destined for a specific network. The BIG-IP
system then forwards the traffic to that network, to the host specified in the system's routing
configuration.
1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen
displays a list of existing virtual servers.
2. Click the Create button. The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. For the Destination setting, in the Address field, type the network IP address that you
want to use for the virtual server. This is the network for which inbound application
traffic is destined.
5. In the Service Port field, type a port number or select a service name from the Service
Port list.

6. From the Configuration list, select Advanced.

7. From the Request Logging Profile list, select the custom request logging profile that
you created earlier.
8. Locate the Resources area of the screen.
9. For the iRules setting, from the Available list, select the name of the iRule that you
want to assign, and using the Move button, move the name into the Enabled list. This
step is optional.
10. Click Finished.
Now the BIG-IP system listens for traffic destined for the specified destination IP address and
service, and applies all assigned profiles and iRules.
Example 2: Network virtual server configurations
This example shows the BIG-IP data center firewall configured with a network virtual server.
This configuration is generally used when you do not want the BIG-IP data center firewall to
perform address translation on incoming requests; instead, the packets are simply forwarded
to publicly-accessible resources while still providing security.
As shown, an ADC provides traditional application delivery functionality along with possibly
more specialized functionality behind the BIG-IP data center firewall. The illustration also
shows a DNS server located behind the BIG-IP data center firewall, but with a publiclyaccessible address. This could be a direct DNS server, or even a GTM system providing
global DNS services to an infrastructure.

Network virtual
server configurations

Adding a static route

On the BIG-IP data center firewall, use this task to create a static route to a BIG-IP device on
another network.
1. On the Main tab, click Network > Routes.
2. Click Add. The New Route screen opens.
3. In the Name field, type a unique name for the route.
4. In the Destination field, type the destination IP address in the route. This address can
represent either a host or a network. Also, ifyou are using the route domains and the
relevant route domain is the partition default route domain, you do not need to append
a route domain ID to this address.
5. In the Netmask field, type the network mask for the destination IP address.
6. From the Resource list, select Use Gateway. The gateway represents a next-hop or
last-hop address in the route.
7. For the Gateway Address setting, select IP Address and type an IP address.
8. At the bottom of the screen, click Finished.
Now, packets targeted for the destination address specified in the route can reach that
destination.

Configuring a SNAT
To protect IP addresses on the private network from being exposed to nodes on a public
network, you can define a SNAT. A SNAT changes the source IP address on a packet to a
SNAT external address located on the BIG-IP system.
1. On the Main tab, click Local Traffic > SNATs . The SNAT List screen displays a list
of existing SNATs.
2. Click Create.
3. Name the new SNAT.
4. In the Translation field, type the IP address that you want to use as a translation IP
address.
5. From the Origin list, select Address List.
6. For each client to which you want to assign a translation address, do the following:
a. Select Host.

b. Type a client IP address in the Address field.

c. Click Add.
7. From the VLAN Traffic list, select Enabled on.
8. For the VLAN List setting, in the Available field, select an external VLAN, and using
the Move button, move the VLAN name to the Selected field.
9. Click Finished.
Table of Contents | << Previous Chapter | Next Chapter >>
Was this resource helpful in solving your issue?
Yes - this resource was helpful
No - this resource was not helpful
I dont know yet

NOTE: Please do not provide personal information.

Please enter the words to the right:

Additional Comments (optional)
Type your comment here (1000 character

Enter Captc

Reload Audio Help