Applies To:

Show Versions Show Versions

Manual Chapter: Managing Rules and Rule Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About rules and rule lists

With the BIG-IQ Security system, you can manage rules and rule lists from the Rule Lists panel. You import and manage rules (and/or rule lists) from BIG-IP devices. You can also define rules and rule lists within BIG-IQ Security and deploy back to the BIG-IP device.

Network firewalls use rules (and rule lists) to specify traffic-handling actions.

Rules are not independent objects and can exist only within rule lists or policies. You can define a list of rules for a specific firewall and/or refer to one or more shared rule lists (by name from other firewalls).

The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.

A packet must pass all tests to match successfully. For example, to match against a source subnet and several destination ports, a packet must originate from the given subnet and must also have one of the specified destination ports.

Rule lists are containers for rules. A rule list can contain thousands of ordered rules but cannot be nested inside another rule list. It is an ordered list of rules, which means that rules are run in the order they appear. However, you can reorder rules at any time.

Rules and rule lists can be applied to all firewall types:

  • Global
  • Route domain
  • Virtual server
  • Self IP
  • Management (rules only)

You can reuse a rule list across multiple firewalls, such as the firewalls for self IPs, route domains, and the global firewall. To reuse rule lists, drag-and-drop them to firewalls and policies as you choose.

Adding rules

You can create specific rules in support of a specific firewall or policy, gather those rules in a rule list, and assign the rule list to the firewall or policy.
  1. Hover in the Rule Lists banner and click the + icon to display the Properties tab and the Rules tab.
  2. In the Properties tab, edit the Rule List Properties as required.
    Option Description
    Name Enter a name for the rule list.
    Description Enter an optional description.
  3. In the Rules tab, click Create Rule. A new row appears in the table. The row contains a rule template, including defaults, for the new rule.
  4. Edit as appropriate. Click Tab to advance from field to field. You can also add rules by right-clicking under the bottom row in the Rules table. The rule template is added to the bottom of the table. Once entered, you can reorder rules by dragging-and-dropping them until they are in the correct order.
  5. When finished, click Save.
  6. To remove a rule, hover over the rule name and right-click. From the drop-down menu, select Delete Rule. This drop-down menu also provides options to Add rule before and Add rule after (the rule you are hovering over).
The new rule list appears at the bottom of the Rule Lists panel.

Adding rule lists

To add rule lists, expand the Rule Lists panel to display the Properties tab and the Rules tab.
  1. Hover in the Rule Lists banner and click the + icon to display the Properties tab and the Rules tab.
  2. In the Properties tab, edit the fields as required.
    Option Description
    Name Enter a name for the rule list.
    Description Enter an optional description.
    Partition Although pre-populated with Common (default), you can set the partition when creating or cloning rule lists by entering a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name.
  3. In the Rules tab, click Create Rule. A new row appears in the table. This row contains a template, including defaults.
  4. Edit as appropriate. Click Tab to advance from field to field. You can also add rules by right-clicking under the bottom row in the Rules table. The rule is added to the bottom of the table. You can then reorder rules by dragging and dropping them until they are in the correct order.
  5. When finished, click Save.
The new rule list appears at the bottom of the Rule Lists panel.

Managing rule lists

You can manage the content of rule lists from the Rule Lists panel, including the order of rules in rule lists. You must lock a rule list before editing it.
  1. Hover in the header for the rule list that you want to edit, and click the gear icon to display the Properties tab and the Rules tab.
  2. In the Properties tab, edit the content you want to change.
    Option Description
    Name Change the name of the rule list.
    Description Enter or change an optional description.
    Partition Informational, read-only field. You can change the partition name only when creating or cloning a rule list.
  3. In the Rules tab if the rule list is not already locked, click Edit to establish a lock.
  4. Click the row of the rule you want to edit.
  5. Edit as appropriate. Click Tab to advance from field to field. To reorder rules, simply drag-and-drop the rules until they are in the correct order.
  6. When finished, click Save.
Changes made to the rule list are reflected the next time the Firewall Contexts or Policies panels are refreshed.

Cloning rule lists

Cloning enables you to quickly and easily create rule lists tailored to address any unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list which you can then edit to address any special considerations.

Users with the roles of Firewall_View or Firewall_Deploy cannot clone policies.

.
  1. Navigate to the Rule Lists panel.
  2. Hover over the name of the rule list that you want to clone and when the gear icon appears, click it to display the expanded panel.
  3. Click Clone.
  4. In the Properties tab, edit the fields as required. Click Tab to advance from field to field.
    Option Description
    Name Enter a name for the cloned rule list. The clone cannot have the same name as the source rule list unless the partition name is changed.
    Description Enter an optional description.
    Partition Although pre-populated with Common (default), you can set the partition when creating or cloning rule lists by entering a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name.
  5. In the Rules tab, edit the rules as required to configure the clone. You can also click Create Rule to add a new rule.
  6. When finished, click Add. Any changes made are preserved. If you click Cancel, the rule list is not cloned.
The cloned rule list appears at the bottom of the Rule Lists panel.

Removing rule lists

To remove rule lists, expand the Rule Lists panel to display the Properties tab and the Rules tab.
  1. Hover in the header of a rule list you want to remove and when the gear icon appears, click it to display the Properties tab and the Rules tab.
  2. At the top of the expanded area, click Remove.
  3. If safe to remove the rule list, a confirmation dialog box appears. Click Remove to confirm. If the rule list is in use, you cannot complete the removal. A popup appears informing you that you cannot remove the rule list because it is in use. Click Close to acknowledge this message and then click Cancel in the Remove popup screen. To see where a rule list is used, click the rule list and the name appears in the search field. Then click Apply. The GUI displays only those objects related to the search. To clear the search, click the x icon to the right of the search string.
The rule list disappears from the Rule Lists panel.

Rule and rule list properties

You can configure network firewalls after import into the BIG-IQ Security system through the Firewall Contexts panel. Or, you can edit imported rules, rule lists, or policies through the Rule Lists panel or the Policies panel. However, you must edit shared objects through the Shared Objects panel. Shared objects cannot be edited inside rules. The following table lists and describes the properties required when configuring network firewall rules and rule lists.

Property Description
Name Unique, user-provided name for the rule or rule list. If the name is a rule list name, it is preceded by referenceTo_ when dragged-and-dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.
Address (Source) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

From the drop-down list, select:

Address
Enter the address in the Addresses field. You can also enter an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
Address range
Enter the beginning address in the first Addresses field and the ending address in the second Addresses field.
Address list
In the Addresses field, enter text to cause the display of stored address lists. You can select any of the address lists displayed.

To the right, options are provided to add additional addresses, address ranges, or address lists (+) and to delete addresses, address ranges, or address lists (X).

When finished, click Save or Add.

Port Ports, port ranges, or port lists.

From the drop-down list, select:

Port
Enter the port in the Ports field. You can also enter a port range in the port field by entering a range in the format: n-n. For example: 43-44.
Port range
Enter the beginning port in the first Ports field and the ending port in the second Ports field.
Port list
In the Ports field, enter text to cause the display of stored port lists. You can select any of the port lists displayed.

To the right, options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X).

When finished, click Save or Add.

VLAN Name of the VLAN physically present on the device (Internal, External, or Any). The VLAN must be configured on the device or the deploy fails. When finished, click Save or Add.
Address (Destination) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

From the drop-down list, select:

Address
Enter the address in the Addresses field. You can also enter an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
Address range
Enter the beginning address in the first Addresses field and the ending address in the second Addresses field.
Address list
In the Addresses field, enter text to cause the display of stored address lists. You can select any of the address lists displayed.

To the right, options are provided to add additional addresses, address ranges, or address lists (+) and to delete addresses, address ranges, or address lists (X).

When finished, click Save or Add.

Port Ports, port ranges, or port lists.

From the drop-down list, select:

Port
Enter the port in the Ports field. You can also enter a port range in the port field by entering a range in the format: n-n. For example: 43-44.
Port range
Enter the beginning port in the first Ports field and the ending port in the second Ports field.
Port list
In the Ports field, enter text to cause the display of stored port lists. You can select any of the port lists displayed.

To the right, options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X).

When finished, click Save or Add.

Action Click in the column and select one of the following:
accept
Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
accept decisively
Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
drop
Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
reject
Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.

When finished, click Save or Add.

Description Optional description for the current rule. To add a description, click in the column, enter text, and click Save or Add.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save or Add.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen where you can change the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

For ICMP
Choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
For ICMPv6
Choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

For ICMP
This field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
For ICMPv6
This field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Click in the column and select an option from the drop-down list to specify whether the rule is enabled, disabled, or scheduled. The field is updated. Click Save or Add when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down list is displayed in the screen. Select a schedule and click OK.

If you have assigned a schedule, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Click in the column and select an option from the drop-down list to specify whether or not the firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save or Add.

To set or edit this setting, the discovered device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for devices with versions earlier than 11.3 HF6.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)