Applies To:

Show Versions Show Versions

Manual Chapter: Firewalls
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Firewalls panel

The Firewalls panel displays discovered and imported network firewalls residing on discovered BIG-IP devices.

Firewalls provide policy-based access control to and from address and port pairs, inside and outside the network. Using a combination of contexts, a firewall can apply rules in a number of different ways, including at a global level, per virtual server, per route domain, and even for the management port or a self IP address.

Note: A firewall may have an enforced policy or a set of explicitly-defined rules and rule lists. It cannot have both in force at the same time. However, you may have staged policies and enforced inline rules and rule lists configured simultaneously on the same firewall.

Each row in the panel contains the firewall name, its type, and its parent device on the partition it is in. To get help about an individual firewall, click a row and then click the ? help icon. For individual property details, click the gear icon in the firewall row. This displays the Firewalls flyout with these tabs:

  • Properties
  • Enforced
  • Staged

To view help details about each of these tabs, click the tab in the flyout and then click the ? help icon.

Firewall types include:

Global (labeled in panel as global)
On a BIG-IP device, packets are processed by the global firewall before they get to the route domain, virtual server, or self IP firewalls. The global firewall collects rules that apply to all traffic that traverses the firewall; global rules are checked first.
Route domain (labeled in panel as rd)
There can be more than one configured route domain firewall on a device; each listed by its ID. The default route domain firewall on the BIG-IP device is Route Domain 0. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0. Packets are processed by the route domain firewall after the global firewall and before they are processed by the associated virtual server or self IP firewalls. The route domain firewall collects rules that apply to a specific route domain defined on the server.
Virtual servers (labeled in panel as vip)
The virtual server firewall collects rules that apply to the selected existing virtual server only. Packets that pass through the virtual server are assessed by this firewall. Virtual server rules are checked after route domain rules.
Self IP (labeled in panel as self-ip)
The self IP firewall consists of an IP packet filter configured on the self IP address (internal or external). Any IP packet that passes through the self IP is processed by this firewall. The self IP firewall collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.
Management (labeled in panel as mgmt)
Labeled Management Port on a BIG-IP device. The Management firewall (single firewall per management interface) consists of an IP packet filter configured on the management port and collects firewall rules that apply to the management port. BIG-IQ Security does not support configuring rule lists on policies on the management firewall.
Note: You can edit firewall objects only from within the object's panel. For example, editing rule lists, including the reordering of rules, must be done in the Rule Lists panel.

Firewalls panel: Properties tab

The Properties tab displays the firewall properties:

Firewall Properties

Name Global for the global firewall; management-ip for the management IP firewall; 0 for route domain; IP address for self-ip; name for vip.
Description (Optional) Description for the firewall.
Partition Informational, read-only field.
Type One of the following: global (global); route domain (rd); virtual server (vip); self IP (self-ip); management (mgmt).
Device Name of the BIG-IP device where the firewall resides.

After making changes, click Save to save your edits or click Cancel to abort the operation and close the flyout.

Firewalls panel: Enforced tab

The Enforced tab displays policies or rules/rule lists whose actions (ACCEPT, ACCEPT DECISIVELY, DROP, REJECT) are executed. You are restricted to a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that same firewall.

Note: The Enforced tab displays policies if policies are supported for the selected firewall.

To configure a policy, drag and drop a policy from the Policies panel onto the firewall. Then, edit the policy. If the firewall has inline rules configured, you are prompted to allow the BIG-IQ Security system to remove the inline rules and apply the policy.

To remove the policy, click the X icon following the policy name.

Note: Policies can be enforced in one context and staged in another.

Enforced Firewall Rules

To add rule lists, drag and drop rule lists into the middle of the flyout. Right-click in the middle area to add a rule to the firewall.

Populate or edit rules and click Save. Or click Cancel to abandon changes and close the flyout.

Firewalls panel: Staged tab

The Staged tab displays policies or rules/rule lists whose actions are not live; actions (ACCEPT, ACCEPT DECISIVELY, DROP, REJECT) are not executed. Rather, actions are logged. This enables you to stage a policy first and examine the logs to determine how the policy has affected traffic. Then, you can determine the timing for turning the policy from staged to enforced.

Note: A policy can be staged in one context and enforced in another.

To delete a policy, click the X icon following the policy name.

BIG-IP system firewall contexts

A firewall context is the category of object to which the rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management.

It is possible to have multiple layers of firewall contexts on a single BIG-IP system. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from the Global context, to the Route Domain context, and then to either the Virtual Server or Self IP context. Management port rules are processed separately and are not processed as part of the hierarchy. Rules can be viewed and reorganized separately within each context.

If a packet matches a firewall rule within a given context, that action is applied to the packet, and the packet then moves to the next context for further processing. If the packet is accepted, it travels on to the next context. If the packet is accepted decisively, it goes directly to its destination. If the packet is dropped or rejected, all processing stops for that packet; it travels no further.

On each firewall, you can have rules, rule lists, or policies that are enforced or staged. Rules, rule lists, or policies are processed in order within their context and within the context hierarchy. Rules for the Management Port are processed separately and not as part of the context hierarchy.

Possible firewall contexts:

Global (labeled in panel as global)
Global rules are collected in the global firewall context. Global rules are checked first and apply to all traffic that traverses the firewall.
Route Domain (labeled in panel as rd)
Route domain rules are collected in the Route Domain context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules.
Virtual Server (labeled in panel as vip)
Virtual server rules are collected in the Virtual Server context. Virtual server rules apply to the selected virtual server only. Virtual server rules are checked after route domain rules.
Self IP (labeled in panel as self-ip)
The self IP context collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.
Management (labeled in panel as mgmt)
The Management context collects firewall rules that apply to the management port on the BIG-IP device. Management port firewalls are outside the firewall context hierarchy and management port rules are checked independently of other rules. Policies cannot be assigned to the Management context.

Global firewalls

A global firewall is an IP packet filter that resides on a global firewall on a BIG-IP device. Except for packets traveling to the management firewall, it is the first firewall that an IP packet encounters. Any packet reaching a BIG-IP device must pass through the global firewall first.

On global firewalls, you can configure rules, rule lists, and policies.

Note: Policies are collections of rules and rule lists that can be assigned as a group to one or more firewalls.

Policies can be enforced or staged.

Configuring a staged policy enables you to evaluate how a set of rules would impact traffic without the firewall actually enforcing the rule actions configured in the staged policy. Configuring a staged policy also enables you to configure either enforced inline rules and rule lists or enforce a policy.

Configuring an enforced policy for a firewall can take the place of configuring individual inline rules and rule lists for that firewall.

Changing from an enforced policy to inline rules or changing from inline rules to an enforced policy is a two-step process. First, delete the contents of the current firewall and save the empty firewall. Then, edit the firewall again to make the desired changes to policies or rules.

To delete a policy, click the X following the policy name.

To add rule lists, drag-and-drop rule lists into middle of flyout (below the policy entry field). Right-click in middle area to add a rule to the firewall.

To rearrange the evaluation order of rules and rule lists, drag-and-drop them to new locations.

When you drag a rule list onto a firewall, the BIG-IQ Security system gives it a name by default. For example, Rulelist1 might be given the name referenceToRulelist1. You can change this name before you save the changes to the firewall. To change the name, click on the rule list name in the rule list instance row. The name changes to an editable state. Edit the name and then click Save. If you click on the field after clicking Save, you can no longer edit the name.

Rule and rule list properties

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Route domain firewalls

A route domain firewall is an IP packet filter that resides on a route domain firewall on a BIG-IP device.

A route domain is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, pool members, and firewalls.

When a route domain firewall is configured to apply to one route domain it means that any IP packet that passes through the route domain is assessed and possibly filtered out by the configured firewall.

When you create a firewall rule, you can select one of several contexts. Route domain is one of the contexts you can select. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Route domain rules apply to a specific route domain configured on the server. Route domain rules are checked after global rules. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context.

On route domain firewalls, you can configure rules, rule lists, and policies.

Note: Policies are collections of rules and rule lists that can be assigned as a group to one or more firewalls.

Policies can be enforced or staged.

Configuring a staged policy enables you to evaluate how a set of rules would impact traffic without the firewall actually enforcing the rule actions configured in the staged policy. Configuring a staged policy also enables you to configure either enforced inline rules and rule lists or enforce a policy.

Configuring an enforced policy for a firewall can take the place of configuring individual inline rules and rule lists for that firewall.

Changing from an enforced policy to inline rules or changing from inline rules to an enforced policy is a two-step process. First, delete the contents of the current firewall and save the empty firewall. Then, edit the firewall again to make changes to policies or rules.

To delete a policy, click the X icon following the policy name.

To add rule lists, drag and drop rule lists into the middle of the flyout (below the policy entry field). Right-click in middle area to add a rule to the firewall.

To rearrange the evaluation order of rules and rule lists, drag and drop them to new locations.

When you drag a rule list onto a firewall, BIG-IQ Security gives it a name by default. For example, Rulelist1 might be given the name referenceToRulelist1. You can change this name before you save the changes to the firewall. To change the name, click on the rule list name in the rule list instance row. The name changes to an editable state. Edit the name and then click Save. After clicking Save, you can no longer edit the name.

Rule properties

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Virtual server firewalls

A virtual server firewall is an IP packet filter configured on the virtual server and, therefore, designated for client-side traffic. Any IP packet that passes through the virtual server IP address is assessed and possibly filtered out by this firewall.

When you create a firewall rule, rule list, or policy, you can select one of several contexts, including virtual server. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Virtual server rules apply to the selected virtual server only. Virtual server rules are checked after route domain rules.

On virtual server firewalls, you can configure rules, rule lists, and policies.

Note: Policies are collections of rules and rule lists that can be assigned as a group to one or more firewalls.

Policies can be enforced or staged.

Configuring a staged policy enables you to evaluate how a set of rules would impact traffic without the firewall actually enforcing the rule actions configured in the staged policy. Configuring a staged policy also enables you to configure either enforced inline rules and rule lists, or enforce a policy.

Configuring an enforced policy for a firewall can take the place of configuring individual inline rules and rule lists for that firewall.

Changing from an enforced policy to inline rules or changing from inline rules to an enforced policy is a two-step process. First, delete the contents of the current firewall and save the empty firewall. Then, edit the firewall again to make the desired changes to policies or rules.

To delete a policy, click the X icon following the policy name.

To add rule lists, drag-and-drop rule lists into middle of flyout (below the policy entry field). Right-click in middle area to add a rule to the firewall.

To rearrange the evaluation order of rules and rule lists, you can drag and drop them to new locations.

When you drag a rule list onto a firewall, the BIG-IQ Security system gives it a name by default. For example, Rulelist1 might be given the name referenceToRulelist1. You can change this name before you save the changes to the firewall. To change the name, click on the rule list name in the rule list instance row. The name changes to an editable state. Edit the name and then click Save. If you click on the field after clicking Save, you can no longer edit the name.

Rule properties

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Self IP firewalls

A self IP firewall is an IP packet filter configured on the self IP address, a firewall designated for server-side traffic. Any IP packet that passes through the self IP is assessed and possibly filtered out by this firewall.

A self IP address is an IP address on a BIG-IP system that is associated with a VLAN and used to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space; that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address.

A static self IP address is an IP address that is assigned to the system and does not migrate between BIG-IP systems. By default, the self IP addresses created with the Configuration utility are static self IP addresses. One self IP address must be defined for each VLAN.

When you create a firewall rule, rule list, or policy, you can select one of several contexts, including Self IP. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

The self IP context collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after virtual server rules.

On self IP firewalls, you can configure rules, rule lists, and policies.

Note: Policies are collections of rules and rule lists that can be assigned as a group to one or more firewalls.

Policies can be enforced or staged.

Configuring a staged policy enables you to evaluate how a set of rules would impact traffic without the firewall actually enforcing the rule actions configured in the staged policy. Configuring a staged policy also enables you to configure either enforced inline rules and rule lists, or enforce a policy.

Configuring an enforced policy for a firewall can take the place of configuring individual inline rules and rule lists for that firewall.

Changing from an enforced policy to inline rules or changing from inline rules to an enforced policy is a two-step process. First, delete the contents of the current firewall and save the empty firewall. Then, edit the firewall again to make the desired changes to policies or rules.

To delete a policy, click the X icon following the policy name.

To add rule lists, drag-and-drop rule lists into middle of flyout (below the policy entry field). Right-click in middle area to add a rule to the firewall.

To rearrange the evaluation order of rules and rule lists, you can drag and drop them to new locations.

When you drag a rule list onto a firewall, the BIG-IQ Security system gives it a name by default. For example, Rulelist1 might be given the name referenceToRulelist1. You can change this name before you save the changes to the firewall. To change the name, click on the rule list name in the rule list instance row. The name changes to an editable state. Edit the name and then click Save. After clicking Save, you can no longer edit the name.

Rule properties

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Management firewalls

A management firewall is an IP packet filter configured on the management IP address and, therefore, designated for management traffic. Any IP packet that passes through the management IP address is assessed and possibly filtered out by this firewall.

The network software compares IP packets to the criteria specified in management firewall rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match a rule, then the software compares the packet against the next rule. If a packet does not match any rule the packet is accepted.

Note: Policies and rule lists are not permitted on the management firewall context. For management firewalls, only inline rules are allowed.

You can drag and drop inline rules, address lists, and port lists onto management firewalls.

Rule properties

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)