Manual Chapter : Configuring BIG-IP Network Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Configuring BIG-IP Network Firewall Policies

About firewall policies

The BIG-IP® Network Firewall policies combine one or more inline rules or rule lists, and apply them as a combined policy to one or more contexts. Such policies are applied to a context directly, and cannot coexist in that context with inline rules. You can configure a context to use either a specific firewall policy or inline rules, but not both. A firewall policy and inline rules are mutually exclusive of each other. However, firewall context precedence does apply, so inline rules at the global context, for example, apply even if they contradict rules applied at a lower precedence context; for example, at a virtual server.

You can apply a network firewall policy as a staged policy, while continuing to enforce existing inline rules, or you can apply one firewall policy while staging another policy. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.

Creating a Network Firewall policy

Use this procedure to create a BIG-IP® Network Firewall policy.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click Create to create a new policy.
  3. Type a name and optional description for the firewall policy.
  4. Click Finished.
The Policies screen shows the new policy in the policy list.
Define firewall rules and rule lists for the policy to make it function.

Creating a Network Firewall policy rule

If you are going to specify address lists or port lists to use with this rule, you must create these lists before creating the firewall policy rule, or add them after you save the policy rule.
Create a network firewall policy rule to manage access from an IP or web network address to a specified network location, server, or address behind a BIG-IP® system.
Note: You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list. Similarly, you cannot use the rules created in a policy to apply as inline rules in another context, though you can use rule lists in a policy rule.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of the network firewall policy to which you want to add rules.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. From the Type list, select whether you are creating a standalone network firewall policy rule or creating a rule list.
    If you create a firewall policy rule list, only the Name, Description, and Stateoptions apply, and you must select or create a rule list to include.
  5. From the Order list, select an order modifier.
    You can add the rule before or after an existing rule, or you can add it first or last in the rule list. Rules are added in the last position by default.
  6. In the Name and Description fields, type the name and an optional description.
  7. From the State list, select the rule state.
    • Select Enabled to apply the firewall policy rule to the addresses and ports specified.
    • Select Disabled to set the firewall policy rule to not apply at all.
    • Select Scheduled to apply the firewall policy according to the selected schedule.
  8. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP context. You can apply a rule list to a self IP that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
    Note: Note that you must select a protocol if you specify ports.
  9. From the Source Address/Region list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any packet source IP address.
    • Select Specify and click Address to specify one or more packet source IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  10. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  11. From the Source VLAN/Tunnel list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  12. From the Destination Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  13. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  14. Optionally, from the iRule list, select an iRule to start if the rule matches traffic.
  15. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  16. From the Logging list, enable or disable logging for the firewall rule.
  17. Click Finished.
    The list screen and the new item are displayed.
The new firewall policy rule is created.

Setting a global firewall policy

You can create a virtual server with a firewall policy, to provide policy-based network firewall actions at the virtual server.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. Under Active Network Firewall Rules, click the Global link.
    The Global Firewall Rules screen opens.
  3. To enforce rules from a firewall policy in the selected context, in the Network Firewall area, from the Enforcement list, select Policy Rules, then select the firewall policy to enforce from the Policy list.
  4. To stage rules from a firewall policy in the selected context, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Configuring a route domain with a firewall policy

Before you can configure a route domain with a firewall policy, you need a pre-existing route domain.
On a route domain, you can set firewall policies for enforcement and staging. Use this task to set firewall policies on an existing route domain. You create a route domain on BIG-IP® system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. Click the name of the route domain to show the route domain configuration.
  3. Click on the Security tab.
  4. To enforce rules from a firewall policy on the route domain, in the Network Firewall area, from the Enforcement list, select Policy Rules, then select the firewall policy to enforce from the Policy list.
  5. To stage rules from a firewall policy on the route domain, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
  6. To enforce any inline rules that apply to the route domain, and not apply a firewall policy, in the Network Firewall area, from the Enforcement list, select Inline Rules.
  7. Click Update to save the changes to the route domain.
Now, you have configured a route domain on the BIG-IP system, with either firewall policies or inline rules enforced at the route domain context.

Setting network firewall policies for a self IP address

Ensure that you have created a self IP address.
You can configure network firewall rules at a self IP address by inline rule, or you can enforce a firewall policy. You can also stage a firewall policy to check the effect without affecting traffic.
  1. On the Main tab, click Network > Self IPs .
    The Self IPs screen opens.
  2. Click on the self IP address to which you want to add a network firewall policy.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the self IP, in the Network Firewall area, from the Enforcement list, select Policy Rules, then select the firewall policy to enforce from the Policy list.
  5. To stage rules from a firewall policy on the self IP, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
  6. To enforce any inline rules that apply to the self IP, and not apply a firewall policy, in the Network Firewall area, from the Enforcement list, select Inline Rules.
  7. Click Update to save the changes to the self IP.
The selected self IP now enforces or stages rules according to your selections.

Creating a virtual server with a firewall policy

You can create a virtual server with a firewall policy, to provide policy-based network firewall actions at the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type * or select * All Ports from the list.
  6. Click Finished.
  7. Click the name of the virtual server you want to modify.
  8. On the menu bar, click Security > Policies .
    The screen displays Policy settings and Inline Rules settings.
  9. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the Enforcement list, select Policy Rules, then select the firewall policy to enforce from the Policy list.
  10. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
  11. Click Update to save the changes.
The policy rules you selected are enforced on the virtual server. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

About firewall policy compilation

When you apply a rule list or policy to a context, the rule list or policy requires some server resources to compile. You can view the resources used on a context for the last rule compilation, by viewing compiler statistics on the context page. Compiler statistics are displayed for several items.

Activation Time
Displays the time at which firewall policies or rule lists were last activated on this context.
Compilation Duration
Displays the amount of time required to compile the rule sets or policies at the last activation.
Compilation Size
Displays the file size of the compiled rule sets or policies, after the last activation.
Maximum Transient Memory
Displays the maximum memory used to compile the rule sets or policies during the last activation.

Viewing compilation statistics for a firewall rule or policy

You can view the most recent compilation statistics for a rule list or policy on the Global Context, or on a Route Domain, Self IP, or Virtual Server context.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context list, select All.
  3. Click on the name of the context for which you want to view statistics.
    For example, the Global Context is always called Global. A virtual server or self IP has the name you assigned when you created it; for example, vs_http_134 or self_lb_11 . A route domain is identified with a number; for example, 0.
  4. View statistics for rule compilation.
    • In the Global Context, from the Policy Settings list, select Advanced.
    • In a Route Domain, Self IP, or Virtual Server context, click the Security tab. Then, from the Policy Settings list, select Advanced.
Statistics are displayed for the most recent rule list and policy compilation on the selected context.

Viewing enforced and staged policy rule logs

With BIG-IP® Advanced Firewall Manager™, you can choose to enforce either inline firewall rules or a firewall policy for a specific context. You can also choose to stage policies for a specific context. Staged policies apply all of the specified firewall rules to the policy context, but do not enforce the firewall action. Therefore, the result of a staged policy is informational only, and the result can be analyzed in the firewall logs.

A staged policy on a particular context might not behave the same after you change it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts, but other staged policies remain on other contexts that you do not enforce, the actual enforced results might differ from what you expected from viewing logs and statistics for staged rules.

Important: You must enable logging for a policy, if you want to view the results of staged or enforced rules in the logs.

Viewing Network Firewall enforced policy events on the local BIG-IP system

Ensure that the BIG-IP® system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. To search for enforced policy events, in the search field, type Enforced, then click Search.
  3. To narrow your search for enforced events, click Custom Search. Drag the Enforced text from the Policy Type column to the custom search table. Narrow your search further by dragging other items from the log display, for example, from the action, policy, or rule columns. the event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.

Viewing Network Firewall staged policy events on the local BIG-IP system

Ensure that the BIG-IP® system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
Important: You must enable logging for a policy, if you want to view the results of staged or enforced rules in the logs.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. To search for staged policy events, in the search field, type Staged, then click Search.
  3. To narrow your search for staged policy events, click Custom Search. Drag the Staged text from the Policy Type column to the custom search table. Narrow your search further by dragging other items from the log display. For example, from the action, policy, or rule columns, you can drag event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.