Forum Discussion

Prasad_Chowdary's avatar
Prasad_Chowdary
Icon for Nimbostratus rankNimbostratus
Feb 14, 2017

Migrating the Cisco FWSM to F5 AFM

Hi All, I am planning to migrate from cisco FWSM to F5 AFM. In Cisco FWSM we have Vlan interfaces and apply rules for the traffic passing through those interfaces. In the F5 AFM i thought i have to options to use to migrate Virtual servers and Self IPs. But F5 AFM is not like other firewalls, self ip's effect traffic destined to the box, not the pass through traffic. So i have to use virtual servers to moderate traffic. In my case i have DMZ area which has bunch of different servers which needs to talk to internal servers or users. I am not doing any load balancing at all here, so i am using forwarding ip type Virtual servers. However with the amount of destination objects i have in my environment, i have to create huge number of virtual servers and apply rules to each and every VS which is going to be very tedious.

 

Can someone please give some suggestions on best way to implement this scenario.

 

Thanks in advance.

 

AFM
security

2 Replies

Sort By
  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Feb 14, 2017

    Hi,

     

    Create one wildcard forwarding virtual server (0.0.0.0/0:0) enable it on the correct vlan's.

     

    In your AFM rule base work with source ip and destination ip and port. (you can create address lists for source and destination addresses).

     

    Cheers,

     

    Kees

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Feb 15, 2017

    Hi Prasad,

     

    You can have AFM configuration depends on your needs. It's true that AFM is based on virtual server configurations but I see that as an advantage.

     

    Let's say You have one external, DMZ and Internal zones. Imagine you have subnets 10.x.x.x\8 for internal subnet and 20.x.x.x\8 as DMZ. You can create three virtual servers (IP forwarding VIP) with IP address 0.0.0.0\0 for external, 10.x.x.x\8 for internal and 20.x.x.x\8 for DMZ. You can add separate policy and rules for each virtual server.

     

    You can see all these configurations in the single page if you navigate to AFM >> Active Rules. It will display all the policies and rules and even you can modify it from there.

     

    Please refer AFM deployment guide for better understanding.

     

    Hope this helps.

     

    -Jinshu