In BIG-IQ® Network Security, the objects that you can view and manage from the policy editor include:
You use the BIG-IQ® Network Security policy editor to rapidly make firewall configuration changes within firewall policies by editing the objects that contain that information. The policy editor provides users with a toolbox that can be used to quickly add objects. The toolbox is located at the bottom of the policy editor.
As an alternative to renaming an object, you can create a new object and replace the original object where it is in use.
There are several filter fields you can use to select the data displayed by the Policy Editor. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.
|Filter field above navigation list on left||Use the filter field above the navigation list on the left to search objects and
list those that match the filter. By default, the filter matches any object that
contains the string entered. You select filter options by clicking the arrow to the
left of the filter field, and selecting an option.
A count of the matching objects appears to the right of each object type in the navigation list. To remove the filter, click the X to the right of the filter expression area near the filter field.
|Filter field at top right of Policy Editor||Use the filter field at the right top of the Policy Editor to search only the
displayed objects for a match to the filter. You select filter options by clicking the
arrow to the left of the filter field, and then selecting an option from each option
group. The bottom option group in the list controls whether the filter text must be a
partial match or an exact match.
The top options group in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address, Name or Port), the default is All.
If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.
To remove the filter, click the X to the right of the filter expression area near the filter field.
|Filter field in Policy Editor Toolbox at bottom||Use the filter field in the upper right of the Policy Editor toolbox (displayed at the bottom of the page when active) to search the shared resources list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click the X to the right of the filter expression area near the filter field.|
When specifying a date in a filter, only these date and time formats are supported:
You can filter contents owithin the Policy Editor frame to show objects related to a selected object.
Address lists are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations and subnets saved on a server and available for use in firewall rules, rule lists and firewall policies
Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. Firewall rules can also compare all geolocations in a given address list to either the source or the destination location, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
You can see the content of an address list by hovering over its name in the policy editor. If an address list is nested, the tooltip displayed by the hovering will only show the first-level contents. To view address list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.
Address lists are containers and must contain at least one entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.
You can add geolocation awareness to address lists, which enables you to specify source or destination IP addresses by geographic location. Thus, you can specify firewall behavior for traffic to/from entire geographic regions by defining rules based on where the source or destination system is, rather than on its IP address (source or destination). BIG-IQ® Network Security supports specifying geolocation in rules and address lists. The geolocation is validated when the rule or address list is saved.
|Name||Unique, user-provided name for the address list. The text field accepts up to and including 255 characters, including the partition name.|
|Description||Optional description of the address list.|
|Partition||Field pre-populated with Common (the default). This field is editable when creating or cloning address lists.|
|Type||After locking the address list for editing, select one of the following:
|Addresses||IPv4 or IPv6 address, address range, or nested address list. There are many ways
an IPv4 or IPv6 address or address range can be constructed. The following methods and
examples are not meant to be exhaustive.
|Description||Optional text field used to describe the address, address range, or nested address list.|
Port lists are collections of ports, port ranges, or port lists or nested port lists saved on a server and available for use in firewall rules, rule lists, and firewall policies.
Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet. Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.
You can see the content of a port list by hovering over its name in the policy editor. If a port list is nested, the tooltip displayed will only show the first-level contents. To view port list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.
|Name||Unique name used to identify the port list.|
|Description||Optional description for the port list.|
|Partition||Field pre-populated with Common (the default). This field is editable when creating or cloning port lists.|
|Type||Select one of the following:
|Ports||Port, port range, or port list. Valid port numbers are 1-65535.|
|Description||Optional text field used to describe the port, port range, or nested port list.|
The Rule Schedules screen displays the defined rule schedules. By default, all rules, rule lists, and policies run continuously. Rule schedules are continuously active if created without any scheduling specifics (such as the hour that the rule schedule starts).
You apply a rule schedule to a rule to make that rule active only when needed.
|Name||Specifies a unique, user-provided name for the rule schedule.|
|Description||Specifies an optional description for the rule schedule.|
|Partition||Displays informational, read-only name of the partition associated with the rule schedule.|
|Date Range||Specifies the date and time when the rule can be active. Select one of the following:
Note: Using the system interface and popup screens to specify the start and end dates and times is the preferred method. However, if you do specify dates manually, use the format: MMM DD,YYYY HH:MM:SS.
|Time Span||Specifies the time, within the time defined by the Date Range, that the rule
schedule can be active.
|Day||Specifies the days the rule schedule is active. Select check boxes for all days that apply. You must select at least one day per week.|