A BIG-IP data center firewall includes three basic mechanisms for controlling packet flow:
Packet filters, traffic listeners, and iRules assigned to virtual servers.
Basic packet flow through a BIG-IP data center firewall
To effectively configure a BIG-IP system as a data center firewall, you must decide the way
that you want the BIG-IP system to process any network traffic that the system receives. A BIG-IP
system evaluates and acts on network traffic using the following order of operations.
Packet FiltersThe BIG-IP system evaluates network traffic against any
packet filters that you have configured, in the explicit order you define. Once accepted, a
packet is not evaluated against additional filters, but is processed by any SNATs, virtual
servers or iRules that apply. If a packet is discarded or rejected, a BIG-IP system does not
perform any further evaluation of that packet.
Traffic listenersWhen you create local traffic objects (such as virtual
servers, NATs, and SNATs) that process network traffic on the BIG-IP system, the BIG-IP system
creates appropriate listeners for the objects that you define. A local traffic object with a
destination listener processes requests matching a destination host or network IP address defined
on the BIG-IP system. A local traffic object with a source listener processes requests
originating from a host or group of hosts defined on the BIG-IP system. For example, a virtual
server with a destination address and a netmask of 192.0.0.0/8:any, takes
precedence over a virtual server with a destination address and a netmask of
0.0.0.0/0:80. If the traffic does not match a virtual server and there is a
SNAT in place, processing follows a specific order. For example, a SNAT with an origin address of
10.10.64.0/24 takes precedence over a SNAT with an origin of default.
Additionally, a SNAT with an origin address of 10.10.64.2 takes precedence
over a NAT with an origin address of 10.10.64.2.
Virtual server-specific ACL using iRulesAny iRules associated with the
matched virtual server are processed. iRules are event-driven, so that the order of events
ultimately controls the order in which code blocks are processed. Additionally, you can use
priority statements within iRules to assign execution orders for like events. Lastly, for like
events of identical priority, iRules are triggered in the order that they are assigned to the
virtual server. For each of these BIG-IP features, consult the BIG-IP product documentation and
other online resources, such as F5 Networks' DevCentral Wiki, for complete details.