Applies To:

Show Versions Show Versions

Manual Chapter: About Firewall Rules
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About firewall rules

The BIG-IP Network Firewall uses rules to specify traffic handling actions. A rule includes:

Context
The category of object to which the rule applies. Rules can be global and apply to all addresses on the BIG-IP that match the rule, or they can be specific, applying only to a specific virtual server, or the management port.
Rule or Rule List
Specifies whether the configuration applies to this specific rule, or to a group of rules.
Source Address
One or more addresses or address lists behind the firewall to which the rule applies.
Source Port
The ports or lists of ports on the system behind the firewall to which the rule applies.
VLAN
Specifies VLANs behind the firewall to which the rule applies.
Destination Address
One or more addresses or address lists outside of the firewall to which the rule applies.
Destination Port
The ports or lists of ports outside of the firewall to which the rule applies.
Protocol
The protocol (TCP, UDP, ICMP, ICMPv6, or Any) to which the rule applies. You can select one specific protocol, but not two protocols. To select more than one protocol, select Any.
Schedule
Specifies a schedule for the firewall rule. You configure schedules to define days and times when the firewall rule is made active.
Action
Specifies the action (accept, accept decisively, drop, or reject) for the firewall rule.
Logging
Specifies whether logging is enabled or disabled for the firewall rule.

Firewall actions

These listed actions are available in a firewall rule.

Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is then processed again at the next context.

Firewall action Description
Accept Allows packets with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted decisively, traverse the system as if the firewall is not present, and are not processed by rules in any further context after the accept decisively action applies. If you want a packet to be accepted in one context, and not to be processed in any remaining context or by the default firewall rules, specify the accept decisively action. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from that Network A, to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.
Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
Reject Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. For example, if the protocol is TCP, a TCP RST message is sent. For Management port rules, and ICMP destination unreachables message is sent. One benefit of using Reject is that the sending application is notified after only one attempt that the connection cannot be established.

What is firewall context?

The With the BIG-IP network firewall you use a context to configure the level of specificity of a firewall rule. For example, you might make a global context rule to block ICMP ping messages, and you might make a virtual server context rule to allow only a specific network to access an application.

Context is processed in the following order.

  1. Global
  2. Route Domain
  3. Virtual Server / Self IP
  4. Management Port*
  5. Global Drop*

Rules progress from the Global context, to the Route Domain context, and then to either the Virtual Server or Self IP context. Management port rules are processed separately, and are not processed after previous rules. Rules can be viewed in one list, and viewed and reorganized separately within each context.

Important: You cannot configure or change the Global Drop context. The Global Drop context is the final context for traffic. Note that even though it is a Global context, it is not processed first, like the main global context, but last. If a packet matches no rule in any previous context, the Global Drop rule drops the traffic.
Firewall context heirarchy

Firewall context descriptions

When you create a firewall rule, you can select one of these listed contexts. Rules for each context form their own list and are processed both in the context hierarchy, and in the order within each context list.

Firewall context Description
Global Global rules are collected in this firewall context. Global rules apply to all traffic that traverses the firewall, and global rules are checked first.
Route Domain Route domain rules are collected in this context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules. If you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context; however, if you configure another route domain after this, Route Domain 0 is no longer usable as a global context.
Virtual Server Virtual server rules are collected in this context. Virtual server rules apply to the selected existing virtual server only. Virtual server rules are checked after route domain rules.
Self IP The Self IP context collects firewall rules that apply to the self IP address on the BIG-IP® device. Self IP rules are checked after route domain rules.
Management Port The Management Port context collects firewall rules that apply to the management port on the BIG-IP device. Management port rules are checked independently of previous rules.
Global Drop The Global Drop rule drops all traffic that does not match any rule in a previous context.

Creating a network firewall rule

If you are going to specify address lists or port lists with this rule, you must create these lists before creating the firewall rule, or add them after you save the rule.
Create a network firewall rule to manage access from an IP or web network address to a specified network location, server, or address behind a BIG-IP® system.
Note: You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list.
  1. On the Main tab, click Security > Network Firewall > Active Rules. The Active Rules screen opens.
  2. Click Add to add a firewall rule to the list.
  3. From the Context list, select the context for the firewall rule. For a firewall rule in a rule list, the Rule List context is predefined and cannot be changed.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Type list, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list. If you create a firewall rule from a predefined rule list, most options for creating a firewall rule do not apply.
  6. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the selected schedule to the firewall rule.
  7. From the Schedule list, select the schedule for the firewall rule. This schedule is applied when the firewall rule state is set to Scheduled.
  8. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select UDP to apply the rule to the UDP protocol only.
    • Select TCP to apply the rule to the TCP protocol only.
    • Select ICMP to apply the rule to the ICMP protocol only. When you select ICMP, new options appear on the screen, which you can use to add one or more specific ICMP codes to the firewall rule. To add an ICMP type and code, from the Type list select the ICMP code type, or select Any. From the Code list, select a specific code, or select Any.
      Important: ICMP is handled by BIG-IP at the global or route domain level. Because of this, ICMP messages typically receive a response before they reach the virtual server context. ICMP messages do not apply to the self IP or management port contexts. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context.
    • Select ICMPv6 to apply the rule to the ICMP protocol for IPv6 only. When you select ICMPv6, new options appear on the screen, which you can use to add one or more specific ICMPv6 codes to the firewall rule. To add an ICMPv6 type and code, from the Type list select the ICMPv6 code type, or select Any. From the Code list, select a specific code, or select Any. Click Add to add the option to the rule.
      Important: ICMP is handled by BIG-IP at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. ICMP messages do not apply to the self IP or management port contexts. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context.
    • Select Other to apply the firewall rule to another port that you specify, then type the port in the field.
    Note: Note that you must select a protocol if you specify ports.
  9. From the Source Address list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any IP address behind the firewall.
    • Select List to select a predefined list of addresses behind the firewall, to which the rule applies. To use an address list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify one or more IP addresses behind the firewall to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
  10. From the Source Port list, select the type of source ports to which this rule applies.
    • Select Any to have the rule apply to any port behind the firewall.
    • Select List to select a predefined list of ports behind the firewall to which the rule applies. To use a port list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify a port or port range behind the firewall to which the rule applies. You can select Single Port to type a single port number into the Port field, then click Add to add the port to the port list. You can select Port Range to type two port numbers into the Port fields, then click Add to add the range of ports to the port list.
  11. From the Source VLAN list, select the VLAN to which this rule applies.
    • Select Any to have the rule apply to any VLAN behind the firewall.
    • Select Specify to specify on ore more VLANs behind the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  12. From the Destination Address list, select the type of destination address to which this rule applies.
    • Select Any to have the rule apply to any IP address outside of the firewall.
    • Select List to select a predefined list of addresses outside of the firewall, to which the rule applies. To use an address list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify one or more IP addresses outside of the firewall to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
  13. From the Destination Port list, select the type of destination ports to which this rule applies.
    • Select Any to have the rule apply to any port outside of the firewall.
    • Select List to select a predefined list of ports outside of the firewall to which the rule applies. To use a port list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify a port or port range outside of the firewall to which the rule applies. You can select Single Port to type a single port number into the Port field, then click Add to add the port to the port list. You can select Port Range to type two port numbers into the Port fields, then click Add to add the range of ports to the port list.
  14. From the Action list, select the firewall action for traffic originating from the specified destination of the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  15. From the Logging list, enable or disable logging for the firewall rule.
  16. Click Finished. The list screen is displayed, and the new item is displayed.
The new firewall rule is created.

Creating a network firewall rule list

Use this procedure to create a firewall rule list, to which you can add firewall rules.
  1. On the Main tab, click Security > Network Firewall > Rule Lists. The Rule Lists screen opens.
  2. Click the Create button to create a new rule list.
  3. In the Name and Description fields, type the name and an optional description.
  4. Click Finished. The list screen is displayed, and the new item is displayed.
The firewall rule group appears in the list.
Add firewall rules to the rule group to define source, destination, and firewall actions.

Adding a network firewall rule to a rule list

Before you add a firewall rule to a rule list, you must create a rule list.
Use this procedure to add a firewall rule to a rule list.
  1. On the Main tab, click Security > Network Firewall > Rule Lists. The Rule Lists screen opens.
  2. In the list, click the name of a rule list you previously created. The Rule List properties screen opens.
  3. Click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the selected schedule to the firewall rule.
  6. From the Schedule list, select the schedule for the firewall rule. This schedule is applied when the firewall rule state is set to Scheduled.
  7. From the Source Address list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any IP address behind the firewall.
    • Select List to select a predefined list of addresses behind the firewall, to which the rule applies. To use an address list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify one or more IP addresses behind the firewall to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
  8. From the Source Port list, select the type of source ports to which this rule applies.
    • Select Any to have the rule apply to any port behind the firewall.
    • Select List to select a predefined list of ports behind the firewall to which the rule applies. To use a port list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify a port or port range behind the firewall to which the rule applies. You can select Single Port to type a single port number into the Port field, then click Add to add the port to the port list. You can select Port Range to type two port numbers into the Port fields, then click Add to add the range of ports to the port list.
  9. From the Source VLAN list, select the VLAN to which this rule applies.
    • Select Any to have the rule apply to any VLAN behind the firewall.
    • Select Specify to specify on ore more VLANs behind the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  10. From the Destination Address list, select the type of destination address to which this rule applies.
    • Select Any to have the rule apply to any IP address outside of the firewall.
    • Select List to select a predefined list of addresses outside of the firewall, to which the rule applies. To use an address list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify one or more IP addresses outside of the firewall to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
  11. From the Destination Port list, select the type of destination ports to which this rule applies.
    • Select Any to have the rule apply to any port outside of the firewall.
    • Select List to select a predefined list of ports outside of the firewall to which the rule applies. To use a port list with this rule, move the list from the Available list to the Selected list by clicking the << button. Similarly, to remove the list from this rule, click the >> button to move the list from the Selected list to the Available list.
    • Select Specify to specify a port or port range outside of the firewall to which the rule applies. You can select Single Port to type a single port number into the Port field, then click Add to add the port to the port list. You can select Port Range to type two port numbers into the Port fields, then click Add to add the range of ports to the port list.
  12. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select UDP to apply the rule to the UDP protocol only.
    • Select TCP to apply the rule to the TCP protocol only.
    • Select ICMP to apply the rule to the ICMP protocol only. When you select ICMP, new options appear on the screen, which you can use to add one or more specific ICMP codes to the firewall rule. To add an ICMP type and code, from the Type list select the ICMP code type, or select Any. From the Code list, select a specific code, or select Any.
      Important: ICMP is handled by BIG-IP at the global or route domain level. Because of this, ICMP messages typically receive a response before they reach the virtual server context. ICMP messages do not apply to the self IP or management port contexts. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context.
    • Select ICMPv6 to apply the rule to the ICMP protocol for IPv6 only. When you select ICMPv6, new options appear on the screen, which you can use to add one or more specific ICMPv6 codes to the firewall rule. To add an ICMPv6 type and code, from the Type list select the ICMPv6 code type, or select Any. From the Code list, select a specific code, or select Any. Click Add to add the option to the rule.
      Important: ICMP is handled by BIG-IP at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. ICMP messages do not apply to the self IP or management port contexts. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context.
    • Select Other to apply the firewall rule to another port that you specify, then type the port in the field.
    Note: Note that you must select a protocol if you specify ports.
  13. From the Action list, select the firewall action for traffic originating from the specified destination of the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  14. From the Logging list, enable or disable logging for the firewall rule.
  15. Click Finished. The list screen is displayed, and the new item is displayed.
A new firewall rule is created, and appears in the Rules list.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)