A virtual forwarding server is listening for traffic with a destination of any on all VLANs-f5-False

error
false
best-practices
f5
A virtual forwarding server is listening for traffic with a destination of any on all VLANs-f5-False
0

#1

A virtual forwarding server is listening for traffic with a destination of any on all VLANs-f5-False

Vendor: f5

OS: False

Description:
Using a virtual forwarding server in a large network in combination with All VLANs would short circuit networks behind the load balancer and this is not ideal in terms of security. indeni will alert if this configuration is used.

Remediation Steps:
Verify that the configuration is intentional. If not, create forwarding servers for each VLAN listening on the egress VLAN, and one forwarding server listening on all VLANs except the egress VLANs. This way you allow traffic to pass through the load balancer without short circuiting the VLANs behind it.\n\nNote: A change window is highly recommended as there may be impact to the environment. More information about virtual forwarding servers can be found here: https://support.f5.com/csp/article/K7595\n\nThis alert was added per the request of <a target="_blank" href=“https://se.linkedin.com/in/patrik-jonsson-6527932”>Patrik Jonsson.

How does this work?
This alert uses the iControl REST interface to extract any virtual forwarding servers listening to all destinations and on all VLANs.

Why is this important?
It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Local Traffic” and then “Virtual servers”. For each of the Virtual Servers, verify if it is listening to any destination and on all VLANs.

f5-rest-mgmt-tm-ltm-virtual

 #! META
name: f5-rest-mgmt-tm-ltm-virtual
description: Determine use of automap, and if any wildcard forwarding servers listening on all VLANs exists.
type: monitoring
monitoring_interval: 60 minute
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
f5-automap-used:
    why: |
        Using automap is a great way to troubleshoot assymetric routing, but is considered not ideal in a busy live environment because of a risk of port exhaustion. In case of high amount of traffic it is better to create a "SNAT Pool" with multiple IP addresses on the member networks.
    how: |
        This alert uses the iControl REST interface to extract the use of automap on virtual servers.
    without-indeni: |
        Login to the device's web interface and click on "Local Traffic" and then "Virtual servers". For each of the Virtual Servers, verify that automap is not used as "Source Address Translation".
    can-with-snmp: true
    can-with-syslog: false
f5-wildcard-forwarding-servers:
    why: |
        It is generally not recommended to have a virtual server listening on all VLANs with a destination of any. This can short circuit any VLANs behind the load balancer and is not ideal in terms of security.
    how: |
        This alert uses the iControl REST interface to extract any virtual forwarding servers listening to all destinations and on all VLANs.
    without-indeni: |
        Login to the device's web interface and click on "Local Traffic" and then "Virtual servers". For each of the Virtual Servers, verify if it is listening to any destination and on all VLANs.
    can-with-snmp: true
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/ltm/virtual?$select=fullPath,sourceAddressTranslation,ipForward,destination,source,vlans
protocol: HTTPS

#! PARSER::JSON

_metrics:

    - # Select virtual servers with automap enabled
        _groups:
            "$.items[0:]":
                _tags:
                    "im.name":
                        _constant: "f5-automap-used"
                    "im.dstype.displaytype":
                        _constant: "boolean"
                    "name":
                        _value: "fullPath"
                _temp:
                    "sourceAddressTranslation":
                        _value: sourceAddressTranslation.type
        _transform:
            _value.complex:
                value: |
                    {
                        if(temp("sourceAddressTranslation") == "automap") {
                            print "true"
                        } else {
                            print "false"
                        }
                    }
    - #Find virtual servers listening to any destination and on all vlans
        _groups:
            $.items[0:]:
                _tags:
                    "im.name":
                        _constant: "f5-wildcard-forwarding-servers"
                    "name":
                        _value: "fullPath"
                _temp:
                    "destination":
                        _value: "destination"
                    "source":
                        _value: source
                    "vlanCount":
                        _count: "vlans"
                    "ipForward":
                        _count: "ipForward"
        _transform:
            _value.complex:
                value: |
                    {
                        if(match(temp("destination"), /.*0\.0\.0\.0:+0.*/) && match(temp("source"), /.*0\.0\.0\.0\/0.*/) && temp("vlanCount") == 0 && temp("ipForward") == 1){
                            print "true"
                        } else {
                            print "false"
                        }
                    }

f5_wildcard_forwarding_servers_used

package com.indeni.server.rules.library.templatebased.f5

import com.indeni.ruleengine.expressions.conditions.{Equals => RuleEquals, Not => RuleNot, Or => RuleOr}
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library._
import com.indeni.server.rules.library.templates.SingleSnapshotValueCheckTemplateRule

/**
  *
  */
case class f5_wildcard_forwarding_servers_used() extends SingleSnapshotValueCheckTemplateRule(
  ruleName = "f5_wildcard_forwarding_servers_used",
  ruleFriendlyName = "F5 Devices: A virtual forwarding server is listening for traffic with a destination of any on all VLANs",
  ruleDescription = "Using a virtual forwarding server in a large network in combination with All VLANs would short circuit networks behind the load balancer and this is not ideal in terms of security. indeni will alert if this configuration is used.",
  metricName = "f5-wildcard-forwarding-servers",
  applicableMetricTag = "name",
  alertItemsHeader = "Virtual Servers Affected",
  alertDescription = "Forwarding servers is a way of using the F5 as a router to move packets from one network to another. One does this by configuring a special virtual server type listening to the destination.\n\nExample:\nA virtual server listening to 10.0.0.0/8 on VLAN10 would accept, and forward packets according to its routing table, but only on VLAN10.\n\nUsing a virtual forwarding server in a large network in combination with All VLANs would short circuit networks behind the load balancer and this is not ideal in terms of security.",
  baseRemediationText = "Verify that the configuration is intentional. If not, create forwarding servers for each VLAN listening on the egress VLAN, and one forwarding server listening on all VLANs except the egress VLANs. This way you allow traffic to pass through the load balancer without short circuiting the VLANs behind it.\n\nNote: A change window is highly recommended as there may be impact to the environment. More information about virtual forwarding servers can be found here: https://support.f5.com/csp/article/K7595\n\nThis alert was added per the request of <a target=\"_blank\" href=\"https://se.linkedin.com/in/patrik-jonsson-6527932\">Patrik Jonsson</a>.",
  complexCondition = RuleEquals(RuleHelper.createComplexStringConstantExpression("true"), SnapshotExpression("f5-wildcard-forwarding-servers").asSingle().mostRecent().value().noneable))()