Lync iApp 4.0 RC1

Question

Has anyone else worked with the (unsupported) 4.0 template? The version I'm trying does support template questions related to AFM configuration, but the result I'm seeing in the resulting configuration is an AFM policy with two conflicting entries. The top one says "acceptPackets" and has a state of enabled; the second one says "dropPackets" and its state is listed as "Enabled (Conflicting)". Since I want the AFM policy to accept packets, I tried modifying the iApp to comment out the section on dropping packets, but there are syntax errors and I haven't been able to figure how to get around those. Has anyone else run into this, or knows how to successfully remove (or comment out) the "drop" option? Thanks for any information.&nbsp;
John Meggers&nbsp;

mikeshimkus_111 · Answer

Hi John, is your BIG-IP running in "ADC" mode or "Firewall" mode?  When running in ADC mode, the default rule for all VIPs is to allow all, so we create a deny all rule, and then another allow rule for only the networks you want to allow that precedes the deny all rule.  &nbsp;
I have this configured to allow traffic from only one subnet, and I end up with 3 rules, but none are conflicting.  Can you post a screenshot of your policy config?&nbsp;
thanks&nbsp;

john_meggers · Answer

I'm consulting with a customer. I can't say for sure whether it's ADC mode or firewall mode. I'll look for that when I'm there today. As for what I'm seeing, I captured a screen shot yesterday which I'll see if I can attach to this.&nbsp;
&nbsp;

john_meggers · Answer

Based on the information in https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-3-0/8.html he LTM is in firewall mode. They've configured the firewall to default to a "deny any any" policy.&nbsp;
So does this mean the iApp effectively requires the firewall be in ADC mode, otherwise you get out of it what I got? I know this is probably asking a lot, but is there a way to have the iApp check this setting and then configure AFM in concurrence with the setting?&nbsp;

mikeshimkus_111 · Answer

Unfortunately, AFAIK in iApps we have no way of telling which firewall mode BIG-IP is running.  If we could, the iApp could check for the action on the default rule and not create the dropPackets rule.
Even that would be a problem because that would only check at iApp runtime.  If someone went in and changed from firewall to ADC mode outside of the iApp, then we have left you with an insecure config.
That said, you could either edit the iApp, removing this text from the firewall_arr array:
                dropPackets \{ \
                    action drop \
                    log yes \
                    ip-protocol tcp \
                    status enabled \
                    source \{ addresses replace-all-with \{ any/any \}\} \
                  \}

You could also just create your own firewall policy outside of the iapp and assign it when you answer the "Do you want to use BIG-IP AFM to protect Lync edge and external web services?" question.  Or you could leave it as-is, since there shouldn't be any problem with passing traffic through this config that I can think of.

john_meggers · Answer

I agree, the error "message" could be kind of a red herring, as traffic will match the first statement and be allowed. I may try commenting out the dropPackets section again, thanks to your guidance.&nbsp;
Thanks for the assistance....&nbsp;

Forum Discussion

Lync iApp 4.0 RC1

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

Spring4shell iApp

DDoS attacks, CVSS 4.0 and Malware - Nov 6th to Nov 12th, 2023 F5 SIRT This Week in Security

Understanding iApps

F5 iApp Automated Backup

F5 Analytics iApp