To configure your F5 firewall and integrate it with the Glasswall Halo ICAP server, please follow this configuration guide. **Note:** these steps are documented as per F5 version BIG-IP 17.1.1.3, Build 0.0.5, Point Release 3. ## Configure interfaces and routes - Before configuring the interfaces, ensure you can see 3 interfaces under *Network* -> *Interfaces* -> *Interface list*. - **Note:** this shows the data plane interfaces and does not include management interface. - The names of the interfaces will be 1.1, 1.2, 1.3. - Based on the MAC address of each interface by comparing it with the MAC address on the interfaces attached to the firewall VM, note down which subnets each interface belongs to. - In the dev environment: - `1.1` Belongs to `inside subnet` - `1.2` Belongs to `outside subnet` - `1.3` Belongs to `icap subnet`. ![Image.png](/.attachments/image_192.png) ### 1 - Configure management IP address Typically the first interface attached to the firewall is configured as the management interface. If for any reason the management UI is running on a different interface (IP address), follow these steps to change the management IP address. 1. Login to the F5 Admin Portal. 2. Navigate to *System* -> *Platform*. 3. Under the *Host IP address* drop-down, select **Custom host IP address** and enter the new IP. ![Image.png](/.attachments/image_193.png) ### 2 - Configure inside interface 1. Navigate to *Network* -> *VLANs* -> *VLANs list* and click **Create**. 2. Enter the name as `inside-vlan`. 3. Select the inside interface from the drop-down and click **Add**. **Note:** the interface names will be `1.1`, `1.2` and `1.3`. In the previous step, the sub-net to which the interface belongs to, based on the MAC address is noted down. 4. Click **Finished**. 5. Navigate to *Network* -> *Self IPs* and click **Create**. 6. Enter the name as `inside-ip`, and enter the IP address and netmask of the inside interface. 7. Select the `inside-vlan` from the VLAN drop-down and click **Finished**. ![Image.png](/.attachments/image_194.png) ### 3 - Configure outside interface 1. Navigate to *Network* -> *VLANs* -> *VLANs list* and click **Create**. 2. Enter the name as `outside-vlan`. 3. Select the outside interface from the drop-down and click **Add**. 4. Click **Finished**. 5. Navigate to *Network* -> *Self IPs* and click **Create**. 6. Enter the name as `inside-ip`, and enter the IP address and netmask of the outside interface. 7. Select the `outside-vlan` from the VLAN drop-down and click **Finished**. ![Image.png](/.attachments/image_195.png) ### 4 - Configure ICAP interface 1. Navigate to *Network* -> *VLANs* -> *VLANs list* and click **Create**. 2. Enter the name as `icap-vlan`. 3. Select the ICAP interface from the drop-down and click **Add**. 4. Click **Finished**. 5. Navigate to *Network* -> *Self IPs* and click **Create**. 6. Enter the name as `icap-ip`, and enter the IP address and netmask of the ICAP interface. 7. Select the `icap-vlan` from the VLAN drop-down and click **Finished**. ![Image.png](/.attachments/image_196.png) ## ICAP integration ### 1 - Create ICAP pool The ICAP pool represents a pool of ICAP servers. 1. Navigate to *Local traffic* -> *Pools* and click **Create**. 2. Enter an appropriate name and description; e.g. Name -`dev-aks-icap-pool`, Description -`ICAP Pool for Dev AKS env`. 3. Under *Health monitors*, select `tcp` from the *Available* column and move it to the *Active* column. 4. Enter an appropriate **Node name**. e.g. `dev-aks-icap-node`. 5. Enter the IP address of ICAP server, service port as `1344` and click **Add**. 6. Click **Finished** to save the configuration. If the health checks are successful, the status will appear in green, otherwise red. ![Image.png](/.attachments/image_197.png) ### 2 - Create HTTP pool The HTTP pool represents a pool of web servers that needs to be protected by the F5. 1. Navigate to *Local traffic* -> *Pools* and click **Create**. 2. Enter an appropriate name and description. e.g. Name - `dev-http-pool`, Description -`Onboarding web app dev`. 3. Under *Health monitors*, select `http` from the *Available* column and move it to the *Active* column. 4. Enter an appropriate **Node name**. e.g. `dev-onboarding-app-node1`. 5. Enter the IP address and port of the web server, and click **Add**. 6. Click **Finished** to save the configuration. If the health checks are successful, the status will appear green, otherwise red. ![Image.png](/.attachments/image_198.png) ### 3 - Create ICAP profile ICAP profile is used to send the traffic from HTTP virtual server to ICAP server to CDR the content. In this scenario as we want to process the files uploaded to web server, we need to use request modification service in the ICAP. 1. Navigate to *Local traffic* -> *Profiles* -> *Services* -> *ICAP* and click **Create**. 2. Enter an appropriate name. e.g. `dev-icap-req-mod`. 3. Select **ICAP** as the *Parent profile*. 4. Select the **Custom** box in *settings* and enter `icap://${SERVER_IP}:${SERVER_PORT}/req-cdr-service?profile=default` in the URL. You can use a custom ICAP profile if needed. 5. Complete the other fields as required and click **Finished**. ![Image.png](/.attachments/image_199.png) ### 4 - Create HTTP profile A custom HTTP profile can be used to modify the HTTP traffic of the web server. 1. Navigate to *Local traffic* -> *Profiles* -> *Services* -> **HTTP** and click **Create**. 2. Enter an appropriate name. e.g. `dev-http-profile`. 3. Select **HTTP** as the *Parent profile*. 4. Select the **Custom** box on the *Settings* and customise the settings as required. 5. Click **Finished** to save the profile. ![Image.png](/.attachments/image_200.png) ### 5 - Create ICAP internal virtual server An internal virtual server is a special type of virtual server used to send the traffic to ICAP server. The ICAP virtual server sits in front of the ICAP pool. 1. Navigate to *Local traffic* -> *Virtual servers* -> *Virtual servers list* and **Create**. 2. Enter an appropriate name and description. e.g. `dev-icap-vs`. 3. Select *Type* as `Internal` and enter `0.0.0.0/0` as the source address. 4. Select `Advanced` configuration and under ICAP profile, select the ICAP profile created in Step 3. 5. Under `Default Pool`, select the ICAP pool created in Step 1. 6. Click **Finished** to save the virtual server. ![Image.png](/.attachments/image_201.png) ### 6 - Create request adapt profile 1. Navigate to *Local traffic* -> *Profiles* -> *Services* -> *Request adapt* and click **Create**. 2. Enter an appropriate name. e.g. `dev-icap-req-adapt`. 3. Under the *Parent* profile, select `requestadapt`. 4. Select the **Custom** box in *Settings*, and select the internal ICAP virtual server created in Step 6 in the internal virtual name drop-down. 5. Select the service down action as needed. This represents what action will be taken when the ICAP server is down. -`Drop`: To drop the traffic at the HTTP virtual server. -`Reset`: Resets the connection on the client side. -`Ignore`: Sends the original traffic to the web server. 6. Click **Finished** to save the request adapt profile. ![Image.png](/.attachments/image_202.png) ### 7 - Create HTTP virtual server An HTTP virtual server sits in front of HTTP pool and provides a virtual IP address that can be used by the users to access the protected web server. 1. Navigate to *Local traffic* -> *Virtual servers* -> *Virtual servers list* and click **Create**. 2. Enter an appropriate name. e.g. `dev-onboarding-http-vs`. 3. Enter `0.0.0.0/0` in the *Source address*. 4. Choose an IP address for the HTTP virtual server that does not conflict with any other address space and enter it as the destination address. 5. Enter the web server port as the server port. 6. Select *Advanced* configuration and select HTTP profile created in Step 4 under `HTTP Profile(Client)`. 7. Select the request adapt profile created in Step 6 under request adapt profile. 8. Select **Auto map** under the *Source address translation* drop-down. 9. Select the HTTP pool under *Default pool* and click **Finished**. ![Image.png](/.attachments/image_203.png) ![Image.png](/.attachments/image_204.png)