F5 Networks AFM/APM Dynamic Firewall Rules
iRules LX code to dynamically update an AFM address list based upon APM sessions. The code will add a user's IP address to an AFM address list once an APM access policy is completed and will remove the IP address when the access session is closed. Requires TMOS version 12.1 and APM/AFM licensing.
Installation
You'll need to create a iRules LX workspace and plugin - details can be found in the DevCentral [Getting Started with iRules LX series] (https://devcentral.f5.com/articles/sid/6964)
Note: If you want to keep things simple then using the following naming convention:
- Workspace: dynamic_address_list_workspace
- Plugin: dynamic_address_list_plugin
- Extension: dynamic_address_list
Once the workspace is created you'll need to make the following code changes:
-
Update the iRule ILX::init with the name of your plugin and your extension (if you didn't follow the naming convention)
set ilx_handle [ILX::init "plugin_name" "extension_name"] -
Copy the contents of index.js into your workspace
-
Add two extension files and copy the contents of those files into your workspace
-
f5_afm.js
-
f5_api.js
-
SSH into your BIG-IP and nstall the node modules
cd /var/ilx/workspaces/Common/dynamic_address_list_workspace/extensions/dynamic_address_list/ npm install node-rest-client winston --save
5. Add the iRule to you APM Virtual Server