F5 Configuring BIG-IP AFM: Advanced Firewall Manager

Chapter 1: Setting up the BIG-IP System

• Introducing the BIG-IP System
• Initially Setting Up the BIG-IP System
• Archiving the BIG-IP System Configuration
• Leveraging F5 Support Resources and Tools

Chapter 2: AFM Overview and Network Firewall

• AFM Overview
• AFM Availability
• AFM and the BIG-IP Security Menu
• Explaining F5 Terminology
• Network Firewall
• Contexts
• Modes
• Packet Processing
• Rules and Direction
• Rules Contexts and Processing
• Inline Rule Editor
• Configuring Network Firewall
• Network Firewall Rules and Policies
• Network Firewall Rule Creation
• Identifying Traffic by Region with Geolocation
• Identifying Redundant and Conflicting Rules
• Identifying Stale Rules
• Prebuilding Firewall Rules with Lists and Schedules
• Rule Lists
• Address Lists
• Port Lists
• Schedules
• Network Firewall Policies
• Policy Status and Management
• Other Rule Actions
• Redirecting Traffic with Send to Virtual
• Checking Rule Processing with Packet Tester
• Examining Connections with Flow Inspector

Chapter 3: Logs

• Event Logs
• Logging Profiles
• Limiting Log Messages with Log Throttling
• Enabling Logging in Firewall Rules
• BIG-IP Logging Mechanisms
• Log Publisher
• Log Destination
• Filtering Logs with the Custom Search Facility
• Logging Global Rule Events
• Log Configuration Changes
• QKView and Log Files
• SNMP MIB
• SNMP Traps

Chapter 4: IP Intelligence

• Overview
• Feature 1 Dynamic White and Black Lists
• Black List Categories
• Feed Lists
• IP Intelligence Policies
• IP Intelligence Log Profile
• IP Intelligence Reporting
• Troubleshooting IP Intelligence Lists
• Feature 2 IP Intelligence Database
• Licensing
• Installation
• Configuration
• Troubleshooting
• IP Intelligence iRule

Chapter 5: DoS Protection

• Denial of Service and DoS Protection Overview
• Device DoS Protection
• Configuring Device DoS Protection
• Variant 1 DoS Vectors
• Variant 2 DoS Vectors
• Automatic Threshold Configuration
• Variant 3 DoS Vectors
• Device DoS Profiles
• DoS Protection Profile
• Dynamic Signatures
• Dynamic Signatures Configuration
• DoS iRules

Chapter 6: Reports

• AFM Reporting Facilities Overview
• Examining the Status of Particular AFM Features
• Exporting the Data
• Managing the Reporting Settings
• Scheduling Reports
• Examining AFM Status at High Level
• Mini Reporting Windows (Widgets)
• Building Custom Widgets
• Deleting and Restoring Widgets
• Dashboards

Chapter 7: DoS White Lists

• Bypassing DoS Checks with White Lists
• Configuring DoS White Lists
• tmsh options
• Per Profile Whitelist Address List

Chapter 8: DoS Sweep Flood Protection

• Isolating Bad Clients with Sweep Flood
• Configuring Sweep Flood

Chapter 9: IP Intelligence Shun

• Overview
• Manual Configuration
• Dynamic Configuration
• IP Intelligence Policy
• tmsh options
• Extending the Shun Feature
• Route this Traffic to Nowhere – Remotely Triggered Black Hole
• Route this Traffic for Further Processing – Scrubber

Chapter 10: DNS Firewall

• Filtering DNS Traffic with DNS Firewall
• Configuring DNS Firewall
• DNS Query Types
• DNS Opcode Types
• Logging DNS Firewall Events
• Troubleshooting

Chapter 11: DNS DoS

• Overview
• DNS DoS
• Configuring DNS DoS
• DoS Protection Profile
• Device DoS and DNS

Chapter 12: SIP DoS

• Session Initiation Protocol (SIP)
• Transactions and Dialogs
• SIP DoS Configuration
• DoS Protection Profile
• Device DoS and SIP

Chapter 13: Port Misuse

• Overview
• Port Misuse and Service Policies
• Building a Port Misuse Policy
• Attaching a Service Policy
• Creating a Log Profile

Chapter 14: Network Firewall iRules

• Overview
• iRule Events
• Configuration
• When to use iRules
• More Information

Course Objectives

• Configure and manage an AFM system
• Configure AFM Network Firewall in a positive or negative security model
• Configure Network Firewall to allow or deny network traffic using rules based on protocol, source, destination, geography, and other predicate types
• Prebuild firewall rules using lists and schedule components
• Enforce firewall rules immediately or test them using policy staging
• Use Packet Tester and Flow Inspector features to check network connections against your security configurations for Network Firewall, IP intelligence and DoS features
• Configure various IP Intelligence features to identify, record, allow or deny access by IP address
• Configure the Device DoS detection and mitigation feature to protect the BIG-IP device and all applications from multiple types of attack vectors
• Configure DoS detection and mitigation on a per-profile basic to protect specific applications from attack
• Use DoS Dynamic Signatures to automatically protect the system from DoS attacks based on long term traffic and resource load patterns
• Configure and use the AFM local and remote log facilities
• Configure and monitor AFM’s status with various reporting facilities
• Export AFM system reports to your external monitoring system directly or via scheduled mail
• Allow chosen traffic to bypass DoS checks using Whitelists
• Isolate potentially bad clients from good using the Sweep Flood feature
• Isolate and re-route potentially bad network traffic for further inspection using IP Intelligence Shun functionality
• Restrict and report on certain types of DNS requests using DNS Firewall
• Configure, mitigate, and report on DNS based DoS attacks with the DNS DoS facility
• Configure, mitigate, and report on SIP based DoS attacks with the SIP DoS facility
• Configure, block, and report on the misuse of system services and ports using the Port Misuse feature
• Build and configure Network Firewall rules using BIG-IP iRules
• Be able to monitor and do initial troubleshooting of various AFM functionality

This course is intended for system and network administrators responsible for the configuration and ongoing administration of a BIG-IP Advanced Firewall Manager (AFM) system.