Blocking ip addresses with 11.3

Question

We have multiple IP addresses  in routing vlans in our environment, so our systems in that invironment are using the 11.3 F5 as a router.&nbsp;
 &nbsp;
Is there a way to use F5 to block IP traffic between these vlans or even between IP addresses.&nbsp;
 &nbsp;
Does the Advanced Firewall Manager (AFM) for 11.3 provide any of this functionality? I'm evaluating it in our lab environment and do not see a way to do this.&nbsp;

what_lies_bene1 · Answer

I'd imagine AFM would do exactly what you wish so it's odd you don't think so. 
&nbsp;  
&nbsp; Regardless, an iRule or Packet Filter are options. 
&nbsp;  
&nbsp; The F5 is a deny by default device so do you have a routing VS, SNAT or similar setup that allows this traffic?

kevin_stewart · Answer

AFM is a full stateful firewall that can apply L4 firewall rules to all addresses on the BIG-IP or you can specify BIG-IP configuration objects, like route domains, virtual servers, self-IPs, and Management IPs.

lazar_92526 · Answer

We do have a routing VS setup to watch traffic. It seems like it would be messy though to setup IP restrictions utilizing a routing VS.&nbsp;
 &nbsp;
As an example, if we have a server with an ip of 172.24.24.10  and we want to block traffic to a server with an IP address of 172.24.54.10, how would we do this with AFM if neither of those IP addresses have a defined VIP?&nbsp;

kevin_stewart · Answer

You could assign that rule globally.

Forum Discussion

Blocking ip addresses with 11.3

4 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Block traffic

domain blocking

Decoding the IPv4 address from the persistence cookie

CSV to Address External Datagroup File

Block IP after a number of ASM Blocks