Applies To:

Show Versions Show Versions

Manual Chapter: Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Policies panel

A policy is a set of rules and/or rule lists. BIG-IP network firewalls use policies to specify traffic-handling actions and to define the parameters for filtering network traffic. A context (firewall) has inline rules and/or rule lists, or a policy. It is easier to ensure that policy deployments do not cause service outages or regressions.

The Policies panel displays the policies available for assignment to firewalls. Use policies to facilitate assigning a common collection of rules consistently across multiple firewalls.

Policies within a firewall can be configured as enforced or staged:

  • An enforced policy is a policy whose actions are executed (ACCEPT, ACCEPT DECISIVELY, DROP, REJECT).

    You are restricted to a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that same firewall.

  • A staged policy refers to a policy that is evaluated but policy actions are not enforced. All activity is logged.

    You are restricted to a single, staged policy on any specific firewall. You can have inline rules and rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have inline rules/rule lists in the staged area.

This means that you can stage a policy first and examine logs to determine how the policy has affected traffic. Then, you can determine the timing for turning the policy from staged to enforced.

The network software compares IP packets to the criteria specified in policies. If a packet matches the criteria, then the system takes the action specified by the policy. If a packet does not match any rule in the policy, the software accepts the packet or passes it to the next policy, rule, or rule list.

Policies can contain any combination of rules and rule lists. Policies cannot contain other policies. You can re-order rules within a policy as you wish.

Drag and drop a policy to add it to a firewall. Drag and drop it to multiple firewalls to configure the same policy consistently across many firewalls.

Note: The BIG-IQ Security system is aware of functionality in one BIG-IP version that does not exist in another. This means that it prohibits you from dropping a policy onto a firewall on a BIG-IP device that does not have the software version required to support it.

To add a policy, hover in the Policies header and when the (+) appears, click it.

To edit a policy, hover in the header of the policy you want to edit and click the gear icon. On the Properties tab, you can edit the description only.

Note: You can edit policies only through the Policies flyout. You can add policies and remove policies through the Firewalls flyout, but you cannot edit policies through the Firewalls flyout. You can edit shared objects only from within the shared object's panel. For example, editing rule lists, including the reordering of rules, cannot be done through the Policies flyout but must be done in the Rule Lists panel.

To remove a policy, click Remove in the flyout while the policy is selected. A popup screen displays informing you that this will permanently remove the policy from the BIG-IQ Security system. Confirm by clicking Remove.

If the policy is in use, a popup screen appears informing you. You cannot remove shared objects that are in use. Click Close to acknowledge this message and then click Cancel in the Remove popup screen.

To see where a policy is being used, click on the policy and the name appears in the search field. Then, click Apply. The GUI filters on that policy name and displays only the instances where the policy is used.

Policies: Managing policies

The Policy flyout contains the Properties tab and the Rules & Rule Lists tab.

To add or edit a policy, populate the fields as described here. When you are finished, click Add or Save as appropriate.

The Properties tab contains the Policy Properties table. Edit the fields in this table as described next.

Note: You can edit policies only through the Policies panel. You cannot add, edit, or remove policies through the Firewalls flyout.

Policy Properties

Name User-provided name for the policy. The text field accepts up to 128 characters. This field is read-only when editing a policy.
Description Optional. Description for the policy. The text field accepts up to 128 characters.
Partition Read-only field displaying the name of the partition associated with the policy.

A new policy is added to the Policies panel in the correct order alphabetically.

The Rules & Rule Lists tab contains the Rules & Rule Lists table. It also contains buttons to create rules and to add rule lists.

To create a rule, click the Create Rule button and populate the fields as appropriate.

To add a rule list, click Add Rule List and select a rule list from the Rule Lists popup screen. Or, click Cancel to cancel the operation.

You can also add rules by right-clicking in the gray area under a row in the Rules & Rule Lists table and selecting Add rule. The rule is added to the bottom of the table. You can then re-order rules by dragging and dropping them.

You can also add rule lists by dragging and dropping from the Rule Lists panel.

To remove a rule, hover over the rule name, right-click and from the drop-down menu, select Delete rule. This menu also provides options to Add rule before and Add rule after (the rule you are hovering over).

To remove a rule list, hover over the rule list name, right-click and from the drop-down menu, select Remove group.

Rules & Rule Lists

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

To remove a policy, click Remove in the flyout while the policy is selected. A popup screen displays informing you that this will permanently remove the policy from the BIG-IQ Security system. Confirm by clicking Remove.

If the policy is in use, a popup screen appears informing you. You cannot remove shared objects that are in use. Click Close to acknowledge this message and then click Cancel in the Remove popup screen.

To see where a policy is being used, click on the policy and the name appears in the search field. Then click Apply. The GUI displays only those objects related to the search. Click the X icon to the right of the search string to clear the search.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)