Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Nov 20, 2018

VPN/Network Access ACLs

Can AFM control the traffic of connected network access clients? I am trying to find a way to create VPN ACLs that is easier than the APM ACLs...not being able to use object groups or address lists makes this feel like a horrid process when compared to other VPN solutions like Cisco ASA.

 

I know there is some 'dynamic' acl option but I am just wondering for informational purposes if it could all be contained on the F5 instead of adding more complexity to the solution.

 

AFM
APM
security

2 Replies

Sort By
  • JWhitesPro_1928's avatar
    JWhitesPro_1928
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2018

    To add to this:

     

    A single line in a cisco ACL can result in 50-100 or even more in the VPN acl since you can only do 1 source, one destination and one port in each acl rule. Is this not a problem for anyone else?

     

    The only other thing I thought of was making a IP forwarding virtual server on the F5 that would catch all traffic from the VPN subnet so I could use AFM to create the rules...the problem there is that I miss out on being able to apply ACLs per session easily without having to check and make sure everything lines up perfectly between these two ways of setting acls.

     

    Should I put in a feature request for VPN acls to get a more modern configuration interface/functionality?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 22, 2018

    You can try to create a forwarding virtual server listening on vlan/tunnel connectivity profile and with destination 0.0.0.0/0

     

    On that virtual server, assign AFM policy