Applies To:

Show Versions Show Versions

Manual Chapter: Managing Firewall Contexts
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About managing firewall contexts in BIG-IQ Network Security

In BIG-IQ Network Security, a firewall context is a BIG-IP network object to which a firewall policy can be attached. In BIG-IQ Network Security, these network objects are called Global (global), Route Domain (rd), Virtual Server (vip), Self IP (sip), or Management (mgmt).

Firewall contexts provide policy-based access control to and from address and port pairs, inside and outside the network. Using a combination of contexts, a firewall can apply rules in a number of different ways, including at a global level, per virtual server, per route domain, and even for the management port or a self IP address.

Firewall properties include the firewall name, an (optional) description), its partition, its type, and its parent device on the partition in which it resides. Note that an administrative partition is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, /Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions. Each partition corresponds to a folder (with the same name) to hold its configuration objects.

From the Enforced tab, you can view and configure policies or rules/rule lists whose actions (accept, accept decisively, drop, reject) are in force. You are restricted to a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that same firewall.

You can edit inline rules from the Enforced tab. You can edit all other firewall shared objects only from within the object's panel. For example, you can edit rule lists, including the reordering of rules inside rule lists, only from the Rule Lists panel.

Note: Policies can be enforced in one firewall context and staged in another.

About BIG-IP system firewall contexts

A firewall context is the category of object to which a rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management. Rules can be viewed and reorganized separately within each context.

It is possible to have multiple layers of firewalls on a single BIG-IP device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP.

If a packet matches a firewall rule within a given context, that action is applied to the packet, and the packet then moves to the next context for further processing. If the packet is accepted, it travels on to the next context. If the packet is accepted decisively, it goes directly to its destination. If the packet is dropped or rejected, all processing stops for that packet; it travels no further.

On each firewall, you can have rules, rule lists, or policies that are enforced or staged. Rules, rule lists, or policies are processed in order within their context and within the context hierarchy.

Rules for the Management interface are processed separately and not as part of the context hierarchy.

About global firewalls

A global firewall is an IP packet filter that resides on a global firewall on a BIG-IP device. Except for packets traveling to the management firewall, it is the first firewall that an IP packet encounters. Any packet reaching a BIG-IP device must pass through the global firewall first.

When you create firewall rules, rule lists, or policies, you can select one of several contexts. Global is one of the contexts you can select. Rules for each context form their own list, and are processed both in the context hierarchy and in the order within each context list.

About route domain firewalls

A route domain firewall is an IP packet filter that resides on a route domain firewall on a BIG-IP device.

A route domain is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, pool members, and firewalls.

When a route domain firewall is configured to apply to one route domain, it means that any IP packet that passes through the route domain is assessed and possibly filtered out by the configured firewall.

When you create firewall rules, rule lists, or policies, you can select one of several contexts. Route domain is one of the contexts you can select. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Route domain rules apply to a specific route domain configured on the server. Route domain rules are checked after global rules. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context.

Route domain rules are collected in the Route Domain context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules.

About virtual server firewalls

A virtual server firewall is an IP packet filter configured on the virtual server and, therefore, designated for client-side traffic. Any IP packet that passes through the virtual server IP address is assessed and possibly filtered out by this firewall.

When you create firewall rules, rule lists, or policies, you can select one of several contexts, including virtual server. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Virtual server rules apply to the selected virtual server only. Virtual server rules are checked after route domain rules.

About self IP firewalls

A self IP firewall is an IP packet filter configured on the self IP address, a firewall designated for server-side traffic. Any IP packet that passes through the self IP is assessed and possibly filtered out by this firewall.

A self IP address is an IP address on a BIG-IP system that is associated with a VLAN and used to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space; that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address.

A static self IP address is an IP address that is assigned to the system and does not migrate between BIG-IP systems. By default, the self IP addresses created with the Configuration utility are static self IP addresses. One self IP address must be defined for each VLAN.

When you create firewall rules, rule lists, or policies, you can select one of several contexts, including self IP. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

The self IP context collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.

About management IP firewalls

A management IP firewall is an IP packet filter configured on the management IP address and, therefore, designated to examine management traffic. Any IP packet that passes through the management IP address is assessed and possibly filtered out by this firewall.

The network software compares IP packets to the criteria specified in management firewall rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match a rule, then the software compares the packet against the next rule. If a packet does not match any rule, the packet is accepted.

Management IP firewalls collect firewall rules that apply to the management port on the BIG-IP device. Management port firewalls are outside the firewall context hierarchy and management port rules are checked independently of other rules.

Note: Policies and rule lists are not permitted on management IP firewalls. In addition, the management IP firewall context does not support the use of iRules or geolocation in rules. For management IP firewalls, only inline rules are allowed. To add inline rules, drag-and-drop them onto the management firewall.

You can also drag-and-drop address lists, and port lists onto management IP firewalls.

About firewall policy types

In BIG-IQ Network Security, you can add the following firewall policy types:

Enforced
An enforced firewall policy modifies network traffic based on a set of firewall rules.
Staged
A staged firewall policy allows you to evaluate the effect a policy has on traffic without actually modifying the traffic based on the firewall rules.

You can assign to a firewall either an enforced firewall policy or a set of explicitly-defined rules and rule lists. The firewall cannot have both in force at the same time. However, you can configure simultaneously on the same firewall both staged firewall policies and enforced inline rules and rule lists.

Firewall properties

The Properties tab displays the properties for the selected firewall. All fields are for information purposes only and cannot be edited, with the exception of the (optional) description.

Property Description
Name Name as shown in the system interface: global for the global firewall; management-ip for the management IP firewall; 0 for route domain; the IP address for self-ip; and the firewall name for a virtual server.
Description (Optional) description for the firewall.
Partition Usually, Common. An administrative partition is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions. Each partition corresponds to a folder (with the same name, for instance, /Common) to hold its configuration objects.
Type One of the following: global (global); route-domain (rd); virtual server (vip); self-ip (self-ip); or management-ip (mgmt).
Route Domain ID Used for Route Domain firewall types only; displays a number that identifies the route domain.
IP Address For Virtual server (VIP), self IP, and Management firewall types only; this is an informational, read-only field displaying the IP address retrieved (if available) during DMA.
Device Name of the BIG-IP device where the firewall resides.

Adding an enforced firewall policy

You can view and configure firewall policies or rules/rule lists to force or refine actions (accept, accept decisively, drop, reject) using the Enforced settings. You are restricted to a single, enforced firewall policy on any specific firewall context. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that same firewall.
Note: Policies can be enforced in one firewall context and staged in another.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Click Contexts to expand the contents.
  4. Click the context you want to edit. The contents appear in the editing pane.
  5. In the editing pane, click Enforced.
  6. On the Enforced screen, click Edit to establish a lock. If necessary, review Locking configuration objects for editing.
  7. Add a firewall policy by dragging and dropping a policy from Policies, or click Add Policy, select a policy from among those listed in the popup, and then click Add. If the firewall has inline rules already configured, you are notified that adding a policy will result in the removal of all existing rules and rule lists.
  8. ClickCreate Rule to open a rule template in the Enforced Firewall Rules table where you can add a rule by editing the fields in the template. Before attempting to add an inline rule on any firewall context except the management IP context, be sure inline rules are supported on the version running on your BIG-IP device. You can also add rules by right-clicking in the last rule in the table and selecting Add rule before or Add rule after. If you right-click after the bottom row in the Rules table, you can select the option Add rule. You can then reorder rules by dragging and dropping them until they are in the correct order for execution. You can also reorder rules by right-clicking in the row and selecting among the ordering options.
  9. Add a rule list by clicking Add Rule List.
  10. In the popup screen that opens, select the name of the rule list that you want to add and then click Add.
  11. Click Save to save changes. To clear a lock without saving changes, click the Unlock link.
  12. When finished, click Save and Close to save your edits, clear the lock, and exit.

Adding a staged firewall policy

You can stage firewall policies using the Staged settings. Actions (accept, accept decisively, drop, reject) have no effect on network traffic. Rather, they are logged. This gives you the ability to stage a firewall policy first and examine the logs to determine how the firewall policy has affected traffic. Then, you can determine the timing for turning the firewall policy from staged to enforced.

Rule and rule lists are not allowed on staged firewall policies.

Note: A firewall policy can be staged in one context and enforced in another.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Click Contexts to expand the contents.
  4. Click the context you want to edit. The contents appear in the editing pane.
  5. In the editing pane, click Staged.
  6. On the Staged screen, click Edit to establish a lock. If necessary, review Locking configuration objects for editing.
  7. Add a policy by dragging and dropping a policy from Policies, or click the Add Policy link, select a policy from among those listed in the popup screen, and then click Add.
  8. Click Save to save changes. To clear a lock without saving changes, click the Unlock link.
  9. When finished, click Save and Close to save your edits, clear the lock, and exit.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)