Manual Chapter : About Firewall Rules and Rule Lists

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About Firewall Rules and Rule Lists

About firewall rules

The BIG-IP® Network Firewall uses rules to specify traffic handling actions. A rule includes:

Context
The category of object to which the rule applies. Rules can be global and apply to all addresses on the BIG-IP that match the rule, or they can be specific, applying only to a specific virtual server, self IP address, route domain, or the management port.
Rule or Rule List
Specifies whether the configuration applies to this specific rule, or to a group of rules.
Source Address
One or more addresses, geographic locations, or address lists to which the rule applies. The source address refers to the packet's source.
Source Port
The ports or lists of ports on the system to which the rule applies. The source packet refers to the packet's source.
VLAN
Specifies VLANs to which the rule applies. The VLAN source refers to the packet's source.
Destination Address
One or more addresses, geographic locations, or address lists to which the rule applies. The destination address refers to the packet's destination.
Destination Port
The ports or lists of ports to which the rule applies. The destination port refers to the packet's destination.
Protocol
The protocol to which the rule applies. The firewall configuration allows you to select one specific protocol from a list of more than 250 protocols. The list is separated into a set of common protocols, and a longer set of other protocols. To apply a rule to more than one protocol, select Any.
Schedule
Specifies a schedule for the firewall rule. You configure schedules to define days and times when the firewall rule is made active.
Action
Specifies the action (accept, accept decisively, drop, or reject) for the firewall rule.
Logging
Specifies whether logging is enabled or disabled for the firewall rule.

Firewall actions

These listed actions are available in a firewall rule.

Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.

Firewall action Description
Accept Allows packets with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted decisively, traverse the system as if the firewall is not present, and are not processed by rules in any further context after the accept decisively action applies. If you want a packet to be accepted in one context, and not to be processed in any remaining context or by the default firewall rules, specify the accept decisively action. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from that Network A, to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.
Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
Reject Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. For example, if the protocol is TCP, a TCP RST message is sent. One benefit of using Reject is that the sending application is notified, after only one attempt, that the connection cannot be established.

About Network Firewall contexts

With the BIG-IP® Network Firewall, you use a context to configure the level of specificity of a firewall rule or policy. For example, you might make a global context rule to block ICMP ping messages, and you might make a virtual server context rule to allow only a specific network to access an application.

Context is processed in this order:

  1. Global
  2. Route domain
  3. Virtual server/self IP
  4. Management port*
  5. Global drop*

The firewall processes policies and rules in order, progressing from the global context, to the route domain context, and then to either the virtual server or self IP context. Management port rules are processed separately, and are not processed after previous rules. Rules can be viewed in one list, and viewed and reorganized separately within each context. You can enforce a firewall policy on any context except the management port. You can also stage a firewall policy in any context except management.

Important: You cannot configure or change the Global Drop context. The Global Drop context is the final context for all traffic, except Management port traffic. Note that even though it is a global context, it is not processed first, like the main global context, but last. If a packet matches no rule in any previous context, the Global Drop rule drops the traffic. Management port traffic is not affected by the Global Drop rule, or by global rules in general. Management port rules must be specifically configured and applied.
Firewall context processing hierarchy example

Firewall context processing hierarchy example

Firewall context descriptions

When you create a firewall rule, you can select one of these listed contexts. Rules for each context form their own list and are processed both in the context hierarchy, and in the order within each context list.

Firewall context Description
Global A global policy or global inline rules are collected in this firewall context. Global rules apply to all traffic that traverses the firewall, and global rules are checked first.
Route Domain A route domain policy or route domain inline rules are collected in this context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules. If you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context; however, if you configure another route domain after this, Route Domain 0 is no longer usable as a global context.
Virtual Server A virtual server policy or virtual server inline rules are collected in this context. Virtual server rules apply to the selected existing virtual server only. Virtual server rules are checked after route domain rules.
Self IP A self IP policy or self IP inline rules apply to a specified self IP address on the device. Self IP rules are checked after route domain rules.
Management Port The management port context collects firewall rules that apply to the management port on the BIG-IP® device. Management port rules are checked independently of any other rules.
Global Drop The Global Drop rule drops all traffic that does not match any rule in a previous context,excluding Management Port traffic, which is processed independently.

Creating a network firewall inline rule

If you are going to specify address lists or port lists with this rule, you must create these lists before creating the firewall rule, or add them after you save the rule.
Create a network firewall rule to manage access from an IP or web network address to a specified network location, server, or address behind a BIG-IP® system.
Note: You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. From the Context list, select the context for the firewall rule.
    For a firewall rule in a rule list, or a firewall rule or rule list in a policy, the context is predefined and cannot be changed.
  4. From the Type list, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list.
    If you create a firewall rule from a predefined rule list, only the Name, Description, and State options apply, and you must select or create a rule list to include.
  5. From the Order list, select an order modifier.
    You can add the rule before or after an existing rule, or you can add it first or last in the rule list. Rules are added in the last position by default.
  6. In the Name and Description fields, type the name and an optional description.
  7. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  8. From the Schedule list, select the schedule for the firewall rule.
    This schedule is applied when the firewall rule state is set to Scheduled.
  9. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP context. You can apply a rule list to a self IP that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
    Note: Note that you must select a protocol if you specify ports.
  10. From the Source Address/Region list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any packet source IP address.
    • Select Specify and click Address to specify one or more packet source IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  11. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  12. From the Source VLAN/Tunnel list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  13. From the Destination Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  14. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  15. Optionally, from the iRule list, select an iRule to start if the rule matches traffic.
  16. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  17. From the Logging list, enable or disable logging for the firewall rule.
  18. Click Finished.
    The list screen and the new item are displayed.
The new firewall rule is created.

About firewall rule lists

The BIG-IP® Network Firewall uses rule lists to collect multiple rules. Rule lists function differently depending on how you create them with Advanced Firewall Manager™ (AFM™).

If you create a rule list with Security > Network Firewall > Rule Lists > Create :
This type of rule list is defined with a name and optional description. Once you create a rule list of this type, you can create and add one or more individual firewall rules to it. You can only add firewall rules by creating them from within the rule list. This type of rule list cannot be used on its own, but must be selected in an Active Rules list, or in a Policy Rules list.
If you create a rule list with Security > Network Firewall > Active Rules > Add and select the Type as Rule List:
This type of rule list is defined with a name and optional description. You can specify a context (Global, Route Domain, Virtual Server, or Self IP). However, you cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in the configuration.
If you create a rule list with Security > Network Firewall > Policies > policy_name > Add and select the Type as Rule List:
This type of rule list is defined with a name and optional description. You cannot specify a context as the context is determined by the policy. You cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in a policy.

Creating a network firewall rule list

Create a network firewall rule list, to which you can add firewall rules.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. Click the Create button to create a new rule list.
  3. In the Name and Description fields, type the name and an optional description.
  4. Click Finished.
    The list screen and the new item are displayed.
The firewall rule list appears in the list.
Add firewall rules to the rule list to define source, destination, and firewall actions.

Adding a network firewall rule to a rule list

Before you add a firewall rule to a rule list, you must create a rule list.
Use this procedure to add a firewall rule to a rule list.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. In the list, click the name of a rule list you previously created.
    The Rule List properties screen opens.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  6. From the Schedule list, select the schedule for the firewall rule.
    This schedule is applied when the firewall rule state is set to Scheduled.
  7. From the Source Address/Region list, select the type of source address to which this rule applies.
    • Select Any to have the rule apply to any packet source IP address.
    • Select Specify and click Address to specify one or more packet source IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  8. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  9. From the Source VLAN/Tunnel list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list by clicking the << button. Similarly, to remove the VLAN from this rule, click the >> button to move the VLAN from the Selected list to the Available list.
  10. From the Destination Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses to which the rule applies. When selected, you can type single IP addresses into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  11. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  12. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP context. You can apply a rule list to a self IP that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
    Note: Note that you must select a protocol if you specify ports.
  13. Optionally, from the iRule list, select an iRule to start if the rule matches traffic.
  14. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
  15. From the Logging list, enable or disable logging for the firewall rule.
  16. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the Rules list.

Activating a rule list in active rules or in a policy

The rule list created from the active rules page, or from a policy, is a container in which you can select and activate one of the rule lists that you created with Security > Network Firewall > Rule Lists > Create , or one of the predefined system rule lists.
  1. From the Context list, select the context for the firewall rule.
    For a firewall rule in a rule list, or a firewall rule or rule list in a policy, the context is predefined and cannot be changed.
  2. In the Name and Description fields, type the name and an optional description.
  3. From the Rule List list, select a rule list to activate in the policy or configuration.
  4. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  5. Click Finished.
    The list screen and the new item are displayed.
The firewall rule list you selected is activated in the Active Rules list or policy.