I'm new to the BIG IP system so forgive me if this seems rather simple. We have a few public facing web servers we are bringing in to our DMZ (they are hosted elsewhere now). The traffic load to them isn't such that we require a pool of replicated servers and load balancing between them for each site. Really all that's needed in terms of traffic flow is just a one-to-one NAT for each one. However, I'm confused because it seems from what I'm reading that you can only create and apply security policies (including attack signatures, etc) to specific servers in your network if you set up a Virtual Server that the web server is tied to. Am I reading this correctly? Or am I misunderstanding how this works? Thanks!

The main traffic-carrying element on a BIG-IP is a Virtual Server. The name may be a little misleading, as it simply a traffic listener, usually consisted of an IP and port, to which you attach all sorts of properties - like the real server(s) you wish to send traffic too, the SSL cert clients that access that virtual server will see, NAT rules, HTTP caching options and more, including a Web Application policy. As you grow more familiar with BIG-IP concepts, all will be made very clear. You should try http://university.f5.com for some the the "essentials" courses there (free of charge, and publicly accessible) - which will get you through all that. Good luck!

I went through a couple of them and thought I had it, then found myself confused again. So basically to do anything you need to set up a virtual server? Even if you just have a handful of individual web sites/servers to point traffic to?

That would be the easiest way to start manipulating incoming traffic, yes. Keep translating "Virtual Servers" to "Listeners" in your head until it makes sense :)

So in my scenario, if I'm reading this correctly, since I don't need load balancing among a pool of redundant servers for each of these sites, I should set up a Forwarding (IP) Virtual Server for that purpose. Is that correct? Also, if you have a Virtual Server that is listening for external clients wishing to connect, where does NAT come into play? Isn't the IP of the Virtual Server essentially doing NAT in and of itself? Thanks for your patience in answer this stuff.

Choosing the Virtual Server type is really all about what you are trying to do... Forwarding IP VSs just route traffic, allowing some L3 manipulations (NAT, PBR, etc.). For more advanced stuff, like an ASM policy, you would need a "Standard" VS type, allowing to fully proxy the incoming traffic, and pass it to ASM for inspection. There's more to it than just choosing the correct VS type, though... It would probably better if you go through some more training, or have a professional guide you through the initial phases and concepts. You are entering a world of fun, I assure you.

Attack signatures, security policies and NAT vs Virtual Servers

14 Replies

Tzoori_Tamam_95
Historic F5 Account
Mar 02, 2016
The main traffic-carrying element on a BIG-IP is a Virtual Server. The name may be a little misleading, as it simply a traffic listener, usually consisted of an IP and port, to which you attach all sorts of properties - like the real server(s) you wish to send traffic too, the SSL cert clients that access that virtual server will see, NAT rules, HTTP caching options and more, including a Web Application policy.

As you grow more familiar with BIG-IP concepts, all will be made very clear.

You should try http://university.f5.com for some the the "essentials" courses there (free of charge, and publicly accessible) - which will get you through all that.

Good luck!
- bsm1970
  Nimbostratus
  Mar 02, 2016
  I went through a couple of them and thought I had it, then found myself confused again. So basically to do anything you need to set up a virtual server? Even if you just have a handful of individual web sites/servers to point traffic to?
- Tzoori_Tamam_95
  Historic F5 Account
  Mar 02, 2016
  That would be the easiest way to start manipulating incoming traffic, yes. Keep translating "Virtual Servers" to "Listeners" in your head until it makes sense :)
- bsm1970
  Nimbostratus
  Mar 02, 2016
  So in my scenario, if I'm reading this correctly, since I don't need load balancing among a pool of redundant servers for each of these sites, I should set up a Forwarding (IP) Virtual Server for that purpose. Is that correct? Also, if you have a Virtual Server that is listening for external clients wishing to connect, where does NAT come into play? Isn't the IP of the Virtual Server essentially doing NAT in and of itself? Thanks for your patience in answer this stuff.
bsm1970
Nimbostratus
Mar 03, 2016
Bringing this out to the main level of the thread since I can't format carriage returns when responding to an answer.

Just as an update, I've been trying some things in the F5 to see how this might look. Even though it's just one node (let's say it's private IP is 10.10.10.2). I created a node with that IP address. Then I created a pool and added that node as a member. Since all the traffic to it will be HTTPS, I added https and https_443 as active health monitors. All other default settings were left intact.

Then I created a VS. This is where it gets tricky for me. I have it set up right now as a Standard VS with a network address that covers our entire subnet of web content servers (for example, 10.10.10.0/26). Service port is 443 (https). For SSL Profile I used serverssl. All other settings stayed at default.

So at this point I'm just trying to figure out how best to do this. Does that setup look like I'm on the right track? And if I'm going to have other single web servers in that same /26 subnet that are totally different sites, should make my VS just point directly to the node (destination address 10.10.10.2 in the above example) and create a new VS for each other web server, or perhaps have this one network address VS cover them all and just create different pools for the different web servers?

Forgive me for all the questions. I do need to get more formal training, but the time frame for this won't allow that right away.
- bsm1970
  Nimbostratus
  Mar 03, 2016
  I guess what I'm driving at is that setting up a VS for these servers seems like overkill when a simple one to one NAT would appear to get the job done. But if I can't apply any ASM stuff to it - protecting from vulnerabilities and using attack signatures, then that won't work. I'm just wondering what the best way to do this is since I don't have a bank of servers hosting the same content that need to be load balanced.
bsm1970
Nimbostratus
Mar 07, 2016
bump for any other responses?
- amjadb_4287
  Nimbostratus
  Mar 07, 2016
  Hi bsm1970, you are supposed to NAT the public IP to VS IP address of F5 using your perimeter firewall either for each website or for all websites (in this latter case, irule should be in place to differentiate between different websites) The virtual server should be standard and has at least http profile, SSL offloading (for ASM policy), SNAT, Pool and finally an ASM policy
- bsm1970
  Nimbostratus
  Mar 07, 2016
  Let me see if I understand what you're saying. The public IP of the web server the external user wants to reach should be routed to the VS on the F5 by the perimeter firewall. I would probably set up a different VS for each website so we would do the same thing for all of the other sites we stand up. I think initially I won't have any ASM policy running. I just want to get traffic flowing initially then work toward adding ASM policy. So for that, where would SNAT come into play? Is that just to make sure the traffic is routed back through the F5? And would SNAT be necessary if the web server nodes have the F5 as their default gateway?
- bsm1970
  Nimbostratus
  Mar 15, 2016
  I think I've got my virtual servers set up properly. My question now is how NAT relates to all this. I have my public IP and my private internal IP for my web servers. I have a VS set up for each of them pointing to that private IP. How do I make it so that traffic coming in using the public IP address of a certain site hits the right VS? Do I put the public IP address of the web server in the Source Address field of the VS?
bsm1970
Nimbostratus
Mar 11, 2016
bump

Forum Discussion

Attack signatures, security policies and NAT vs Virtual Servers

14 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

iRule to modify a content-security-policy header

Securing GraphQL with Advanced WAF declarative policies