Manual Chapter : Managing Firewalls

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.2.0
Manual Chapter

About managing firewalls in BIG-IQ Security

Firewalls provide policy-based access control to and from address and port pairs, inside and outside the network. Using a combination of contexts, a firewall can apply rules in a number of different ways, including at a global level, per virtual server, per route domain, and even for the management port or a self IP address.

IN BIG-IQ Security, the Firewalls panel displays network firewalls imported from discovered BIG-IP devices.

Each row in the panel contains the firewall name, its type, and its parent device on the partition it resides in. Note that an administrative partition is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, /Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions. Each partition corresponds to a folder (with the same name) to hold its configuration objects.

You can edit inline rules from the Firewalls panel. You can edit all other firewall shared objects only from within the object's panel. For example, you can edit rule lists, including the reordering of rules, only from the Rule Lists panel.

To get help about an individual firewall, click that firewall's row and then click the help icon. For details on a specific firewall, hover in the row for that firewall and when the gear icon appears, click it.

Firewall types

Consult the following table for information about the firewall types.

Firewall type Description
Global (labeled in panel as global) On a BIG-IP device, packets are processed by the global firewall before they get to the route domain, virtual server, or self IP firewalls. The global firewall collects rules that apply to all traffic that traverses the firewall; global rules are checked first.
Route domain (labeled in panel as rd) There can be more than one configured route domain firewall on a device; each listed by its ID. The default route domain firewall on the BIG-IP device is Route Domain 0. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0. Packets are processed by the route domain firewall after the global firewall and before they are processed by the associated virtual server or self IP firewalls. The route domain firewall collects rules that apply to a specific route domain defined on the server.
Virtual servers (labeled in panel as vip) The virtual server firewall collects rules that apply to the selected existing virtual server only. Packets that pass through the virtual server are assessed by this firewall. Virtual server rules are checked after route domain rules.
Self IP (labeled in panel as self-ip) The self IP firewall consists of an IP packet filter configured on the self IP address (internal or external). Any IP packet that passes through the self IP is processed by this firewall. The self IP firewall collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.
Management (labeled in panel as mgmt) Labeled Management Port on a BIG-IP device. The Management firewall (single firewall per management interface) consists of an IP packet filter configured on the management port and collects firewall rules that apply to the management port. BIG-IQ Security does not support configuring rule lists on policies on the management firewall.

Firewall properties

The Properties tab displays the properties for the selected firewall. All fields are for information purposes only and cannot be edited with the exception of the (optional) description.

Property Description
Name Displays the name as shown in the GUI: global for the global firewall; management-ip for the management IP firewall; 0 for route domain; IP address for self-ip; name for vip.
Description Displays an (optional) description for the firewall.
Partition Usually displays /Common. An administrative partition is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, /Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions. Each partition corresponds to a folder (with the same name) to hold its configuration objects.
Type Displays one of the following: global (global); route-domain (rd); virtual server (vip); self-ip (self-ip); management-ip (mgmt).
Route Domain Only: Route Domain ID Displays a number that identifies the route domain.
Device Displays the name of the BIG-IP device where the firewall resides.

About the Firewalls panel tabs

The Firewalls panel expands to display the following tabs:

  • Properties. Displays firewall properties for informational purposes and are read-only, except the (optional) description.
  • Enforced. Displays policies or rules/rule lists whose actions are executed.
  • Staged. Displays policies whose actions are not live and are not executed.

You can assign to a firewall an enforced policy or a set of explicitly-defined rules and rule lists. The firewall cannot have both in force at the same time. However, you can configure simultaneously on the same firewall both staged policies and enforced inline rules and rule lists.

Adding an enforced policy

The Enforced tab (Firewalls panel) displays policies or rules/rule lists whose actions (accept, accept decisively, drop, reject) are executed. You are restricted to a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that same firewall.

The Enforced tab displays policies if policies are supported for the selected firewall.

Note: Policies can be enforced in one context and staged in another.
  1. Select the Enforced tab.
  2. If the firewall is not already locked, click Edit to establish a lock.
  3. In the Enforced tab, add a policy by dragging-and-dropping a policy from the Policies panel or click Add Policy to display a list of policies.
  4. In the popup screen, select the policy you want to enforce and click Add. If the firewall has inline rules already configured, you are notified that adding a policy will result in the removal of all existing rules and rule lists
  5. In the Enforced tab, create a rule by clicking Create Rule and populating the fields as appropriate or add a rule list by clicking Add Rule List. If you click Add Rule List, select a rule list from the Rule Lists popup screen and then click Add. A new row appears in the table. This row contains a template, including defaults, for the new rule.
  6. Edit the fields as appropriate. Click Tab to advance from field to field. You can also add rules by right-clicking in the last rule in the table and selecting Add rule before or Add rule after. If you right-click after the bottom row in the Rules table, you can select the option Add rule. You can then reorder rules by dragging-and-dropping them until they are in the correct execution order.
  7. To add a rule list, click Add Rule List.
  8. In the popup screen that appears, select the name of the rule list that you want to add and click Add.
  9. When finished, click Save.
  10. To clear a lock, click the Unlock link.
  11. To remove policies, click the x icon following the policy name.

Adding a staged policy

The Staged tab (Firewalls panel) displays policies whose actions are not live; actions (accept, accept decisively, drop, reject) are not executed. Rather, actions are logged. Thus, you can stage a policy first and examine the logs to determine how the policy has affected traffic. Then, you can determine the timing for turning the policy from staged to enforced.

Rule and rule lists are not allowed on staged plolicies.

Note: A policy can be staged in one context and enforced in another.
  1. Select the Staged tab.
  2. In the Staged tab, add a policy by dragging-and-dropping a policy from the Policies panel or click Add Policy to display a list of policies.
  3. In the popup, select the policy you want to stage and click Add.
  4. When finished, click Save.
  5. To remove policies, click the x icon following the policy name.

About BIG-IP system firewall contexts

A firewall context is the category of object to which a rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management.

It is possible to have multiple layers of firewalls on a single BIG-IP device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP. Management port rules are processed separately and are not processed as part of the hierarchy. Rules can be viewed and reorganized separately within each context.

If a packet matches a firewall rule within a given context, that action is applied to the packet, and the packet then moves to the next context for further processing. If the packet is accepted, it travels on to the next context. If the packet is accepted decisively, it goes directly to its destination. If the packet is dropped or rejected, all processing stops for that packet; it travels no further.

On each firewall, you can have rules, rule lists, or policies that are enforced or staged. Rules, rule lists, or policies are processed in order within their context and within the context hierarchy. Rules for the Management Port are processed separately and not as part of the context hierarchy.

About global firewalls

A global firewall is an IP packet filter that resides on a global firewall on a BIG-IP device. Except for packets traveling to the management firewall, it is the first firewall that an IP packet encounters. Any packet reaching a BIG-IP device must pass through the global firewall first.

When you create firewall rules, rule lists, or policies, you can select one of several contexts. Global is one of the contexts you can select. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

About route domain firewalls

A route domain firewall is an IP packet filter that resides on a route domain firewall on a BIG-IP device.

A route domain is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, pool members, and firewalls.

When a route domain firewall is configured to apply to one route domain it means that any IP packet that passes through the route domain is assessed and possibly filtered out by the configured firewall.

When you create firewall rules, rule lists, or policies, you can select one of several contexts. Route domain is one of the contexts you can select. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Route domain rules apply to a specific route domain configured on the server. Route domain rules are checked after global rules. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context.

Route domain rules are collected in the Route Domain context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules.

About virtual server firewalls

A virtual server firewall is an IP packet filter configured on the virtual server and, therefore, designated for client-side traffic. Any IP packet that passes through the virtual server IP address is assessed and possibly filtered out by this firewall.

When you create firewall rules, rule lists, or policies, you can select one of several contexts, including virtual server. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Virtual server rules apply to the selected virtual server only. Virtual server rules are checked after route domain rules.

About self IP firewalls

A self IP firewall is an IP packet filter configured on the self IP address, a firewall designated for server-side traffic. Any IP packet that passes through the self IP is assessed and possibly filtered out by this firewall.

A self IP address is an IP address on a BIG-IP system that is associated with a VLAN and used to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space; that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address.

A static self IP address is an IP address that is assigned to the system and does not migrate between BIG-IP systems. By default, the self IP addresses created with the Configuration utility are static self IP addresses. One self IP address must be defined for each VLAN.

When you create firewall rules, rule lists, or policies, you can select one of several contexts, including self IP. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

The self IP context collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.

About management firewalls

A management firewall is an IP packet filter configured on the management IP address and, therefore, designated to examine management traffic. Any IP packet that passes through the management IP address is assessed and possibly filtered out by this firewall.

The network software compares IP packets to the criteria specified in management firewall rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match a rule, then the software compares the packet against the next rule. If a packet does not match any rule, the packet is accepted.

Management firewalls collect firewall rules that apply to the management port on the BIG-IP device. Management port firewalls are outside the firewall context hierarchy and management port rules are checked independently of other rules.

Note: Policies and rule lists are not permitted on management firewalls. For management firewalls, only inline rules are allowed. To add inline rules, drag-and-drop them onto the management firewall.

You can also drag-and-drop address lists, and port lists onto management firewalls.