You can apply a Network Firewall policy as a staged policy, while enforcing an existing firewall policy, or no policy. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.
|Accept||Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.|
|Drop||Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.|
|Reject||Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.|
|Accept Decisively||Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.|
When you apply a rule list or policy to a context, the rule list or policy requires some server resources to compile. You can view the resources used on a context for the last rule compilation, by viewing compiler statistics on the context page. Compiler statistics are displayed for several items.
|Context||To view compilation statistics|
|Global||Click Global. From Policy Settings, select Advanced.|
|Virtual Server||Click the name of a virtual server. Click the Security tab, and select Policies. From Policy Settings, select Advanced.|
|Route Domain||Click the number of a route domain. Click the Security tab. From Policy Settings, select Advanced.|
|Self IP||Click the name of a self IP. Click the Security tab. From Policy Settings, select Advanced.|
With BIG-IP® Advanced Firewall Manager™, you can choose to enforce either inline firewall rules or a firewall policy for a specific context. You can also choose to stage policies for a specific context. Staged policies apply all of the specified firewall rules to the policy context, but do not enforce the firewall action. Therefore, the result of a staged policy is informational only, and the result can be analyzed in the firewall logs.
A staged policy on a particular context might not behave the same after you change it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts, but other staged policies remain on other contexts that you do not enforce, the actual enforced results might differ from what you expected from viewing logs and statistics for staged rules.