search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
163 stars 52 forks source link

Firewall rules without the use of address and port lists #844

Open Tobse95 opened 2 weeks ago

Tobse95 commented 2 weeks ago

Is your feature request related to a problem? Please describe.

We use AFM with AS3 to manage our firewall rules on the Service Forwarding virtual servers. In our firewall infrastructure we have a very large set of rules. At the moment, firewall rules can only be created using address lists and port lists. This creates enormous overhead in our config and automation because we have many different communication relationships due to the different rules.

Describe the solution you'd like

We would like to create firewall rules in a firewall rule lsit without the use of address and ports list (like in the gui). At the moment:

`"fwRuleList": {

                "class": "Firewall_Rule_List",
                "rules": [
                    {
                        "protocol": "tcp",
                        "name": "tcpAllow",
                        "loggingEnabled": true,
                        "destination": {
                            "portLists": [
                                {
                                    "use": "fwAllowedPortList"
                                }
                            ]
                        },
                        "source": {
                            "addressLists": [
                                {
                                    "use": "fwAllowedAddressList"
                                }
                            ]
                        },
                        "action": "accept"
                    },`

I want to do something like that: ` "fwRuleList": {

                "class": "Firewall_Rule_List",
                "rules": [
                    {
                        "protocol": "tcp",
                        "name": "tcpAllow",
                        "loggingEnabled": true,
                        "destination": {
                            "ports": [
                              "443","80","6000-6111"
                            ],
                           "addresses": [
                                "10.10.11.0/24"
                            ]
                        },
                        "source": {
                            "addresses": [
                                "10.10.10.0/24"
                            ]
                        },
                        "action": "accept"
                    },`

Describe alternatives you've considered

Creating a lot of address and ports list is no alternative.

Additional context

Add any other context, such as the desired tmsh configuration, about the feature request here.

sunitharonan commented 2 weeks ago

I have created AUTOTOOL-4417 on AS3 backlog for internal tracking