Applies To:

Show Versions Show Versions

Manual Chapter: About the Network Firewall
Manual Chapter
Table of Contents   |   Next Chapter >>

What is the BIG-IP Network Firewall?

The BIG-IP Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. Using a combination of contexts, the network firewall can apply rules in a number of different ways, including: at a global level, on a per-virtual server level, and even for the management port or a self IP address.

By default, the Network Firewall is configured in ADC mode, a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.

The system is configured in this mode by default so all traffic on your system continues to pass after you provision the Advanced Firewall Manager. You should create appropriate firewall rules to allow necessary traffic to pass before you switch the Advanced Firewall Manager to Firewall mode. In Firewall mode, a default deny configuration, all traffic is blocked through the firewall, and any traffic you want to allow through the firewall must be explicitly specified.

About firewall modes

The BIG-IP Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. By default, the network firewall is configured in ADC mode, which is a default allow configuration, in which all traffic is allowed to virtual servers and self IPs on the system, and any traffic you want to block must be explicitly specified. This applies only to the Virtual Server & Self IP level on the system.

Important: If a packet matches no rule in any context on the Advanced Firewall System, a Global Drop rule drops the traffic.

Configuring the Network Firewall in ADC mode

Use this task to configure the BIG-IP®Network Firewall in ADC mode.
Note: The firewall is configured by default in ADC mode. Use this task to set the firewall back to ADC mode if you have changed the firewall setting to Firewall mode.
  1. On the Main tab, click Security > Options > Network Firewall. The Firewall Options screen opens.
  2. From the Virtual Server & Self IP Contexts list, select the default action Accept for the self IP and virtual server contexts.
  3. Click Update. The virtual server and self IP contexts for the firewall are changed.

Configuring the Network Firewall in Firewall mode

Use this procedure to configure the BIG-IP® Network Firewall in Firewall mode, with a default deny policy on all self IPs and virtual servers.
  1. On the Main tab, click Security > Options > Network Firewall. The Firewall Options screen opens.
  2. From the Virtual Server & Self IP Contexts list, select the default action Drop for the self IP and virtual server contexts.
  3. Click Update. The default Virtual Server and Self IP firewall context is changed.
If you are using ConfigSync to synchronize two or more devices, and you set the default action to Drop or Reject, you must apply the built-in firewall rules _sys_self_allow_defaults or _sys_self_allow_management to the specific self IPs that are used to support those services. To do this, add a new rule with the Self IP context, select the Self IP, and select the Rule List rule type. Select the preconfigured rules from the list of rule lists.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)