Manual Chapter : Managing Service Timer and Port Misuse Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About service, timer, and port misuse policies

A service policy allows you to associate network idle timers (timer policies) or port misuse policies on firewall contexts and rules.

You can discover a service policy on a BIG-IP® device version 12.0, or later. Or you can create one on a BIG-IQ® Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.

A service policy can contain timer policies, or port misuse policies, or both. You create service policies, timer policies, and port misuse policies separately, and then you add the timer policies or port misuse policies to the service policies.

  • You use a timer policy, also known as a firewall idle timer, to configure timer rules that can be associated with firewall contexts and rules. You can discover a timer policy on a BIG-IP device version 12.0, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.
  • A port misuse policy allows you to configure a firewall context or rule to detect and drop network connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings. You can discover a port misuse policy on a BIG-IP device version 12.1, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.1, or later.

Create a timer policy

You create a timer policy containing timer rules to add to a service policy.
  1. Navigate to the Timer Policies screen: Click Configuration > SECURITY > Network Security > Timer Policies .
  2. Click Create.
    The New Timer Policy screen opens.
  3. In the Name field, type a name for the timer policy.
  4. In the Description field, type an optional description for the timer policy.
  5. If needed, change the default Common partition in the Partition field.
  6. To add timer rules, click the Rules on the left, and click Create Rule.
    A new rule is displayed with default name and values.
  7. Click the edit icon to the left of the new rule to enable editing for the rule fields.
  8. In the Name field, you may specify a more meaningful name than the default.
  9. From the Protocol list, select the protocol to be used.
    If you select all-other, the rule will apply to all protocols not specified in another timer rule in the policy.
  10. From the Destination Ports list, specify the one or more ports to use, if necessary. The default is to use any port.
    • Select Port to specify an individual port: type the port in the field provided, and then click Add. You can enter multiple individual ports, one at a time.

      Enter 0 as the port value to specify all other ports that have not been specified using Port or Port Range.

    • Select Port Range to specify a range of ports: type the beginning port in the first field, and the ending port of the range in the second field provided, and then click Add. You can enter multiple ports ranges, one at a time.
    • Select All Other to specify all other ports that have not been specified using Port or Port Range.
  11. From the Idle Timeout list, select the timeout option for the selected protocol.
    • Select Specify to specify the timeout for this protocol, in seconds. Type the number of seconds in the field provided.
    • Select Immediate to immediately apply this timeout to the protocol.
    • Select Indefinite to specify that this protocol never times out.
    • Select Unspecified to specify no timeout for the protocol. When this is selected, the system uses the default timeout for the protocol.
  12. Save your changes.
The timer policy is now configured.
You now need to add the timer policy to a service policy.

Clone a timer policy

Using the clone function, you can make a copy of a timer policy, and then modify it.
  1. Navigate to the Timer Policies screen: click Configuration > SECURITY > Network Security > Timer Policies .
  2. Select the check box to the left of any timer policy you want to clone.
  3. Click Clone.
The system displays the New Timer Policy screen with the cloned policy displayed.

Delete a timer policy

You can delete obsolete timer policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Navigate to the Timer Policies screen: click Configuration > SECURITY > Network Security > Timer Policies .
  2. Select the check box to the left of any timer policy that you want to remove.
  3. Click Delete.
  4. Confirm that you want to remove the timer policy by clicking Delete in the confirmation dialog box.
The system removes the selected timer policies.

Create a port misuse policy

You create a port misuse policy containing port misuse rules to add to a service policy.
  1. Go to the Port Misuse Policies screen: Click Configuration > SECURITY > Network Security > Port Misuse Policies .
  2. Click Create.
    The New Port Misuse Policy screen opens.
  3. Type a name and an optional description for the port misuse policy.
  4. If needed, change the default Common partition in the Partition field.
  5. In the Default Actions row, select the default actions to occur when port misuse is detected. You can select none, one, or both options.
    • Select Drop on Service Mismatch to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select Log on Service Mismatch to set a policy default that logs service and port mismatches.
  6. To add port misuse rules, on the left, click Rules, and then click Create Rule.
    The screen displays a new port misuse rule with default name and values.
  7. Click the edit icon to the left of the name of the new rule to enable editing for the rule fields.
  8. In the Name field, you may specify a more meaningful name than the default.
  9. In the Port field, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select Other and specify a port number. The default port number is automatically supplied for the common ports.
  10. In the IP Protocol field, select the IP protocol for the port matching rule.
  11. In the Service field, select the service to use.
    This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if Drop on Service Mismatch is applied to this rule.
    You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  12. In the Drop on Service Mismatch list, select the drop behavior.
    • Select Yes to drop packets when the service does not match the port.
    • Select No to allow packets when the service does not match the port.
    • Select Use Policy Default to use the default action for packet drops, when the service does not match the port.
  13. In the Log on Service Mismatch list, select the behavior for logging packet drops.
    • Select Yes to log dropped packets when the service does not match the port.
    • Select No to not log packet drops when the service does not match the port.
    • Select Use Policy Default to use the default action for logging packet drops, when the service does not match the port.
  14. Save your changes.
You have configured the port misuse policy.
You now can add the port misuse policy to a service policy.

Clone a port misuse policy

Using the clone option, you can make a copy of a port misuse policy that you can modify.
  1. Navigate to the Port Misuse Policies screen: click Configuration > SECURITY > Network Security > Port Misuse Policies .
  2. Select the check box to the left of any port misuse policy you want to clone.
  3. Click Clone.
The system displays the New Port Misuse Policy screen with the cloned policy displayed.

Delete a port misuse policy

You can delete obsolete port misuse policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Navigate to the Port Misuse Policies screen: click Configuration > SECURITY > Network Security > Port Misuse Policies .
  2. Select the check box to the left of any port misuse policy that you want to remove.
  3. Click Delete.
  4. Confirm that you want to remove the port misuse policy by clicking Delete in the confirmation dialog box.
The system removes the selected port misuse policy.

Create a service policy

You create a service policy to contain timer policies that can be applied to firewall contexts. Service policies can also be added to a rule in a rule list or a rule on a security policy.
  1. Go to the Service Policies screen: Click Configuration > SECURITY > Network Security > Service Policies .
  2. Click Create.
    The New Service Policy screen opens.
  3. In the Name field type a name for the service policy.
  4. If needed, change the default Common partition in the Partition field.
  5. In the Description field, type an optional description for the service policy.
  6. If needed, select a timer policy from those listed in the Timer Policy list.
    If no timer policy is listed, create one and then assign it to the service policy.
  7. If needed, select a port misuse policy from those listed in the Port Misuse Policy list.
    If no port misuse policy is listed, create one and then assign it to the service policy.
  8. In the Pin Policy to Device(s) setting, select the BIG-IP devices to be pinned to this policy, if needed.
    Pinning a BIG-IP device to a policy enables the policy to be deployed even if it is not associated with a firewall context for that device. You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.
    If you have a self IP context with a static (non-floating) IP address, you may be required to assign the device depending on you cluster deployment settings. For example, this property must be set for a peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ Centralized Management system. You may be directed to set this property as a result of an evaluation critical error.
  9. Save your changes.
You have defined the service policy. You can now assign it to a firewall context. You can also add it to a rule in a rule list, or a rule on a security policy.

Clone a service policy

Using the clone option, you can make a copy of a service policy to modify..
  1. Go to the Service Policies screen: Click Configuration > SECURITY > Network Security > Service Policies .
  2. Select the check box to the left of any service policy you want to clone.
  3. Click Clone.
The system displays the New Service Policy screen with the cloned policy displayed.

Deploy a service policy

You can do a partial deployment of only a service policy instead of an entire configuration.
  1. Go to the Service Policies screen: Click Configuration > SECURITY > Network Security > Service Policies .
  2. Select the check box to the left of any service policy you want to deploy.
  3. Click Deploy.
The system displays the New Deployment - Network Security screen with the selected service policy on it. You can now continue the deployment process.

Delete a service policy

You should delete service policies that are no longer used, to simplify your view.
  1. Go to the Service Policies screen: Click Configuration > SECURITY > Network Security > Service Policies .
  2. Select the check box to the left of any service policy you want to remove.
  3. Click Delete.
  4. Confirm that you want to remove the service policy by clicking Delete in the confirmation dialog box.
The system removes the selected service policies.

Apply a service policy to a firewall context

You apply a service policy to a firewall context to use a timer or port misuse policy with that context.
  1. Navigate to the Contexts screen: Click Configuration > SECURITY > Network Security > Contexts .
  2. Click the name of the context to open it for editing.
  3. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Objects list, and then dragging one of the displayed service policies and dropping it onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  4. Save your changes.
The service policy is now associated with the context.

Apply a service policy to a firewall rule

You apply a service policy to a firewall rule to apply timer policies or port misuse policies to traffic that is matched by the firewall rule. The rule can be associated with a rule list or with a firewall security policy.
  1. Display the list of rules from a rule list or from a firewall security policy.
    Option Description
    If the rule is in a rule list: Navigate to the Rule Lists screen: click Configuration > SECURITY > Network Security > Rule Lists . Click the name of the rule list containing the rule. The screen lists the rules.
    If the rule is associated with a policy: Navigate to the Firewall Policies screen: click Configuration > SECURITY > Network Security > Firewall Policies . Click the name of the policy containing the rule. The screen lists the rules.
  2. To make it editable, click the edit icon to the left of the name of the rule to which you want to add the service policy.
  3. Add the service policy to the rule.
    Option Description
    Add the service policy by typing. Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name.
    Add the service policy by drag and drop. In the Shared Objects area, select Service Policies, and then drag the service policy from that list and drop it into the Service Policy column for the rule.
  4. Save your changes.
The service policy is added to the rule.