F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Network Security Administration
  5. Managing Shared Objects
Manual Chapter : Managing Shared Objects

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About shared objects

In BIG-IQ Security, the shared objects that you can view and manage include:

Address lists
Collections of IPv4 or IPv6 addresses, address ranges, and subnets. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses or address ranges in a given address list to either the source or the destination IP address, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Port lists
Collections of ports and port ranges. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. As with address lists, firewall rules compare all ports and port ranges in a given port list to either the source or the destination port, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Schedules
Schedules are assigned to firewall rules, rule lists, and policies to control when rules, rule lists, and policies are active on the firewall. In the Shared Objects panel, you can hover over schedule names to see the name displayed in a tooltip. This feature is useful if the schedule name is longer than the panel.

Renaming shared objects

BIG-IQ Security does not support renaming a shared object.

As an alternative to renaming, you can create a new shared object and replace the original shared object where it is in use.

  1. Create the new shared object. Consider cloning the object as the fastest and most reliable way to create a new object with the same content as the original but a new name.
  2. Locate every instance of the original shared object by hovering over the gear icon associated with the object and selecting Show Related Items. As a result, all objects are grayed out except instances where the object is used. In addition, a count is added to the panel header, indicating the number of times the object is used within that panel.
  3. Navigate to each instance where the original shared object is in use and replace it with a reference to the newly-created shared object.
  4. Remove the original shared object. Note that you cannot remove a shared object that is still in use.

Duplicating shared objects

  1. Navigate to the shared object you want to duplicate and hover over the name.
  2. When the gear icon appears, click it.
  3. From the expanded panel, click Clone. The system displays a copy of the shared object with blank Name and Description property fields.
  4. Enter a unique name, (optional) description, and any other edits.
  5. When finished, click Save. The cloned shared object is added to the existing list in the Shared Objects panel.

Removing shared objects

  1. Navigate to the shared object you want to remove and hover over the name.
  2. When the gear icon appears, click it.
  3. From the expanded panel, click Remove. If the shared object is being used by another shared object, policy, rule, or rule list, a popup appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup appears confirming the removal. Click OK to confirm.

About address lists

Address lists are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, or subnets saved on a server and available for use in firewall rules, rule lists, and policies.

Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Address lists are containers and must contain at least one address entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.

Where address lists are visible in the expanded panels for Firewall Contexts, Policies, and Rule Lists, you can hover over nested address lists to see the first-level content displayed in a tooltip. The content (addresses, ranges, and nested address lists) is displayed whether or not the address list is locked for editing.

If a policy, rule list, or rule is locked for editing, you can right-click an address, address range, or address list in the locked object and remove that address, address range, or address list.

To view address list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting an address list inside an address list, check to be sure this option is supported on your BIG-IP device.

Managing address lists

From the BIG-IQ Security Shared Objects panel, you can add address lists or select address lists for deeper inspection or edit. From the expanded panel, you can clone, edit, or remove addresses, address ranges, or nested address lists.

You can define one or more reusable lists of addresses, and you can select one or more address lists to be included in a firewall rule.

Note: Address lists are containers and must contain at least one entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.
  1. To add an address list, hover over the Address Lists banner and click the + icon. In the expanded panel, populate the property fields as required. All boxes outlined in gold are required. The Partition field is outlined in gold and although it is pre-populated with Common, it is an editable field. Click Tab to advance from field to field. When you are finished, click Add.
  2. To edit an address list, hover over the address list name and click the gear icon. In the expanded panel, click Edit to lock the object. Edit the Address List Properties and the Addresses areas as required. Click Tab to advance from field to field. When finished, click Save or Save and Close.
  3. To duplicate an address list, hover over the address list that you want to duplicate. Click the gear icon. In the expanded Address Lists panel, click Clone. The system displays a copy of the address list with blank Name and Description property fields. The Partition property field is pre-populated with Common. Enter a unique name, (optional) description, partition and any other edits to the address list entries. When finished, click Add. The cloned address list is added to the existing list of address lists.
  4. To remove an address list, hover over the address list name that you want to remove and then click the gear icon. In the expanded Address Lists panel, click Remove. If the address list is being used by another address list, a policy, rule, or rule list, a popup screen appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup screen appears confirming the removal. Click OK to confirm.
  5. To add addresses, address ranges, or nested address lists to an existing address list, hover over the address list name that you want to add to and then click the gear icon. Click Edit to lock the object. Then, click the + icon to the right of an address. A new row is added to the Addresses table under that row. Next, select Address, Address Range, or Address List from the drop-down list under the Type column. If you select, Address List, in the Addresses column, type the first letter of an existing address list. A list of existing address lists appears. Select an address list from the list. When finished, click Save or Save and Close.
  6. To add address lists to firewalls and rules (used in rule lists and policies), navigate to the firewall or rule and lock it for editing. If you are editing a firewall, be sure to select the Enforced tab so that Enforced Firewall Rules are visible. Then, expand the Address Lists panel, select the address list you want to add, and drag-and-drop it onto the firewall or rule.
  7. To remove entries from an existing address list, click the address list name that you want to remove an entry from and then click the gear icon. Click Edit to lock the object. Next, click the X icon to the right of the address, address range, or address list that you want to remove. Then, click Save and Close.

Address list properties and addresses

Property Description
Name Text field naming the address list.
Description Optional description of the address list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning address lists.
Type After locking the address list for editing, select one of the following:
  • Address. Then, enter the address in the Addresses field. You can also enter an address range in this field by entering a range in the format: n.n.n.n-n.n.n.n.
  • Address range. The Addresses field becomes 2 fields separated by "to." Enter the beginning address and ending addresses in these fields as appropriate.
  • Address list. When you type the first letter of a saved list, the Addresses field is populated with a picker list that displays saved address lists. You then select from the list.
Addresses IPv4 or IPv6 address, address range, or nested address list. There are many ways an IPv4 or IPv6 address or address range can be constructed. The following methods and examples are not meant to be exhaustive.

IPv4 format: a.b.c.d[/prefix].

For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix].

For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported. You can shorten IPv6 addresses as defined in RFC 4291.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. Example IPv6 subnet: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example: 12.2.0.0%44/16.
Description Optional text field used to describe the address, address range, or nested address list.

About port lists

Port lists are collections of ports, port ranges, or port lists saved on a server and available for use in firewall rules, rule lists, and policies.

Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.

Where port lists are visible in the expanded panels for Firewall Contexts, Policies, and Rule Lists, you can hover over port lists to see the first-level content displayed in a tooltip. The content is displayed whether or not the port list is locked for editing.

If a policy, rule list, or rule is locked for editing, you can right-click a port, port range, or port list in the locked object and remove that port, port range, or port list.

To view port list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting a port list inside a port list, check to be sure this option is supported on your BIG-IP device.

Managing port lists

From the BIG-IQ Security Shared Objects panel, you can add port lists or select port lists for deeper inspection or edit. From the expanded panel, you can clone, edit, or remove ports, port ranges, or nested port lists.

You can define one or more reusable lists of ports, and you can select one or more port lists to be included in a firewall rule.

Note: Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.
  1. To add a port list, hover over the Port Lists banner and click the + icon. In the expanded panel, populate the property fields as required. All boxes outlined in gold are required. The Partition field is outlined in gold and although it is pre-populated with Common, it is an editable field. Click Tab to advance from field to field. When finished, click Add.
  2. To edit a port list, hover over the port list name and click the gear icon. In the expanded panel, click Edit to lock the object. Edit Port List Properties and the Ports areas as required. Click Tab to advance from field to field. When finished, click Save or Save and Close.
  3. To duplicate port lists, hover over the port list that you want to duplicate. Click the gear icon. In the expanded Port Lists panel, click Clone. The system displays a copy of the port list with blank Name and Description property fields. The Partition property field is pre-populated with Common. Enter a unique name, (optional) description, partition and any other edits to the port list entries. When finished, click Add. The cloned port list is added to the existing list of port lists.
  4. To remove a port list, hover over the port list name that you want to remove and then click the gear icon. In the expanded panel, click Remove. If the port list is being used by another port list, a policy, rule, or rule list, a popup screen appears informing you that the shared objects is in use. Click OK to acknowledge this message. If the shared object can be removed, a popup screen appears confirming the removal. Click OK to confirm.
  5. To add ports, port ranges, or port lists to an existing port list, click the port list name that you want to add to and then click the gear icon. Click Edit to lock the object. Then, click the + icon to the right of a port. A new row is added to the Ports table under that row. In this new row, you can select Port, Port Range, or Port List from the drop-down list under the Type column. If you select, Port List, in the Ports column, type the first letter of an existing port list. A list of existing port lists appears. Select a port list from the list. When finished, click Save or Save and Close.
  6. To add port lists to firewalls and rules (used in rule lists and policies), navigate to the firewall or rule and lock it for editing. If you are editing a firewall, be sure to select the Enforced tab so that Enforced Firewall Rules are visible. Then, expand the Port Lists panel, select the port list you want to add, and drag-and-drop it onto the firewall or rule.
  7. To remove entries from an existing port list, click the port list name that you want to remove an entry from and then click the gear icon. Click Edit to lock the object. Next, click the X icon to the right of the port, port range, or port list that you want to remove. Then, click Save and Close. You can also remove ports, port ranges, or port lists from rule lists by expanding and locking the rule list, hovering over the item, right-clicking, and selecting Remove item.

Port list properties and ports

Property Description
Name Unique name used to identify the port list.
Description Optional description for the port list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning port lists.
Type After locking the port list for editing, select one of the following:
  • Port. Then, enter the port in the Ports field. You can also enter a port range in this field by entering a range in the format: n-n. Valid port numbers are 1-65535.
  • Port range. The Ports field becomes 2 fields separated by "to." Enter the beginning port and ending port in these fields as appropriate.
  • Port list. When you type the first letter of a saved list, the Ports field is populated with a picker list that displays saved port lists. You then select from the list.
Ports Port, port range, or port list. Valid port numbers are 1-65535.
Description Optional text field used to describe the port, port range, or nested port list.

About schedules

Schedules are assigned to rules, rule lists, and policies to control when these shared objects are actively evaluated.

By default, all rules, rule lists, and policies are on a continuously active schedule. Schedules are continuously active if created without any scheduling specifics (such as the hour that the schedule starts). If you apply a schedule to a rule, rule list, or policy, you can reduce the time that the rule, rule list, or policy is active.

Managing schedules

From the BIG-IQ Security GUI Shared Objects panel, you can add, edit, duplicate, or remove schedules.

You can also add a schedule to a firewall, policy, or rule by opening the firewall (or policy or rule), locking it for edit, and dragging-and-dropping the schedule onto the rule's State column.

Note: You can define one or more reusable schedules, and you can select one or more schedules to be included in a firewall rule.
  1. To add schedules, hover over the Schedules banner and click the + icon. In the expanded panel, populate the property fields as required. Click Tab to advance from field to field. When you are finished, click Add.
  2. To edit schedules, hover over a schedule name and click the gear icon. From the expanded panel, click Edit to lock the object. Edit the Schedule Properties as required. Click Tab to advance from field to field. When finished, click Save.
  3. To remove schedules, hover over the schedule name that you want to remove and when the gear icon appears, click it. From the expanded panel, click Remove. If the schedule is being used by a policy, rule, or rule list, a popup screen appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup screen appears confirming the removal. Click OK to confirm.
  4. To add schedules by drag-and-drop to firewalls, policies, and rules, navigate to the firewall (policy or rule) and lock it for editing. Be sure the Enforced Firewall Rules are visible. Then, expand the Schedules panel, select the schedule you want to add, and drag-and-drop it onto the State column in the rule. When finished, click Save.

Cloning schedules

Use the expanded Shared Object panel to clone schedules and add them to the BIG-IQ Security database.

Then, assign schedules to firewall rules to control when the rules apply.

  1. Under the Shared Objects header, click Schedules to expand the Schedules section and display the list of schedules.
  2. Hover over the name of the schedule that you want to clone and when the gear icon appears, click it to expand the panel.
  3. Click Clone.
  4. Edit the fields as required. Your changes are saved automatically.
    Option Description
    Name Unique, user-provided name.
    Description Optional description for the schedule.
    Partition Accept the default (Common) or enter a partition name. Although pre-populated with Common, you can set the partition when cloning a schedule. No whitespace is allowed in the partition name.
    Date Range Click the field to display a calendar, and select a date in the calendar. When finished, click Done.
    Time Span Format: HH:MM. Time span start and end means you can set the schedule to run only during certain hours of the day. If you leave these fields blank, the schedule will run all day.
    Day Select all check boxes that apply. You must select at least one.
The cloned schedule appears in the Schedules section of the Shared Objects panel.

Schedule properties

Property Description
Name Unique name used to identify the schedule.
Description Optional description for the schedule.
Partition Informational, read-only field displaying the name of the partition associated with the schedule.
Date Range
Note: Using the GUI to specify the start and end dates and times is the preferred method. However, if you do specify dates manually, use the format: YYYY-MM-DD HH:MM:SS.
 Click the first field to display a calendar popup screen and select a start date. Click the second field to display a calendar and select an end date. You can specify:
Start date and no end date
The equivalent on the BIG-IP system is After, which specifies that the schedule starts after the specified date and runs indefinitely. The schedule is activated starting on the selected date and runs until you change the start date or delete the schedule. Click in the field to choose a start date from a popup calendar. You can specified a start time in the same popup screen.
End date and no start date
The equivalent on the BIG-IP system is Until, which specifies that the schedule starts immediately and runs until a specified end date. The schedule is immediately activated and not disabled until the end date is reached. Click in the field to choose an end date from a popup calendar. You can specified an end time in the same popup screen.
Both a start date and an end date
The equivalent on the BIG-IP system is Between, which specifies that the schedule starts on the specified date and runs until the specified end date. Click in the fields to choose the start and end dates from a popup calendar. You can specified start and end times in the same popup screen.
Neither a start date nor an end date
The equivalent on the BIG-IP system is Indefinite, which specifies that the schedule starts immediately and runs indefinitely. The schedule remains active until you change the date range or delete the schedule.
Time Span Time is specified in military time format: HH:MM. You can specify time manually or click in the fields and use the Choose Time popup screen. Click the first time span field and use the sliders to specify a start time in the popup screen.

Click the second time span field and use the sliders to specify an end time in the popup screen.

If you leave these fields blank, the schedule runs all day, which is the default on the BIG-IQ Security system and on BIG-IP devices. (This option is explicitly called All Day on BIG-IP devices.)
Day Select check boxes for all days that apply. You must select at least one day per week.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information