Applies To:

Show Versions Show Versions

Manual Chapter: Rule Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Rule Lists panel

BIG-IP network firewalls use rules (and/or rule lists) to specify traffic-handling actions. The BIG-IQ Security system imports and manages these rules (and/or rule lists). Rules define the parameters for filtering network traffic.

Rules are not independent objects and can exist only within rule lists or policies. You can define a list of rules for a specific firewall and/or refer to one or more shared rule lists (by name from other firewalls).

Rule lists are containers for rules. Rule lists are one level deep only, which means that there is no nesting of rule lists within rule lists. A rule list is an ordered list of rules, which means that rules are executed in the order they appear in the list.

Rules and rule lists can be applied to all firewall types:

  • Global
  • Route domain
  • Virtual server
  • Self IP
  • Management

The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule in the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.

A packet must pass all tests to match successfully. For example, to match against a source subnet and several destination ports, a packet must originate from the given subnet and must also have one of the specified destination ports.

A rule list can contain thousands of ordered rules.

You cannot remove a rule list that is being used by any firewall or a rule that is being used by any rule list.

You can reuse a rule list across multiple firewalls, such as the firewalls for self IPs, route domains, and the global firewall. Drag and drop rule lists to firewalls as you choose to reuse them.

You can edit rule lists only through the Rule Lists panel. You cannot add, edit, or remove rules contained in a rule list through the Firewalls or Policies panels or flyouts.

To add a rule list, hover in the Rule Lists header and click the (+) icon. The New Rule list flyout appears.

To add a rule in a rule list, click the Create Rule button.

To edit a rule list, hover in the header of the rule list that you want to edit, and click the gear icon.

Rule Lists: Managing rules and rule lists

Manage the contents of rules and rule lists from the Rule List flyout, which contains the Properties tab and the Rules tab.

Note: You can create and edit rules and rule lists only through this flyout. You cannot edit rule lists through the Policies panel or the Firewalls panel. You cannot use the Firewalls or Policies flyout to add, edit, reorder, or remove rules contained in a rule list.

The Properties tab contains the Rule List Properties table. Populate the fields in this table as described here. When you are finished, click Add or Save as appropriate. Or, click Cancel to close the flyout without saving.

Remember to save any changes you make to the rule list before exiting the panel. Changes made to the rule list are reflected the next time the Firewalls or Policies panels are refreshed.

Rule List Properties

Name User-provided name for the rule list. The text field accepts up to 128 characters.

If the name is in use, it is grayed out. Click the name in the Rule Lists panel and the system will brush the GUI to display where the rule list is being used.

After saving, the name can be changed if not in use.
Description Optional. Description for the rule list. The text field accepts up to 128 characters.
Partition Read-only field displaying the name of the partition associated with the rule list.

New rule lists are added to the bottom of the Rule Lists panel.

The Rules tab contains the Rules table. It also contains a button to create rules.

To create a rule, click the Create Rule button and populate the fields as appropriate.

Note: While editing, click Tab to advance from field to field.

In addition to using the Create Rule button, you can add rules by right-clicking in the gray area under a row in the Rules table and selecting Add rule. The rule is added to the bottom of the table. You can then re-order rules within the table by dragging and dropping them in the order you want them executed.

To remove a rule, hover over the rule name, right-click and from the drop-down menu, select Delete rule. This menu also provides options to Add rule before and Add rule after (the rule you are hovering over).

To remove a rule list, hover over the rule list name and click the gear icon to open the flyout. Then, click Remove.

If the rule list is in use, a popup screen appears informing you. You cannot remove shared objects that are in use. Click Close to acknowledge this message and then click Cancel in the Remove popup screen.

To see where a rule list is being used, click on the rule list and the name appears in the search field. Then click Apply. The GUI displays only those objects related to the search. Click the X icon to the right of the search string to clear the search.

Note: Rule lists are containers for rules. Rule lists are one level deep only, which means that there is no nesting of rule lists within rule lists. A rule list is an ordered list of rules, which means that rules are executed in the order they appear in the list.

Rules

Name User-provided rule name up to 128 characters. Type the name and click Save.

If the name is a rule list name, it is preceded by referenceTo_ when dragged and dropped to a firewall or policy. For example: referenceTo_sys_sef_allow_all.

Address (Source) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet source address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column and enter the address. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet source port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column, enter the item, and click Save. Or, click in the Port column, click the down arrow, and select from the displayed list.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

VLAN Name of the VLAN physically present on the BIG-IP device (Internal, External, or Any). The VLAN must be configured on the BIG-IP device or the deploy operation fails. When finished, click Save.
Address (Destination) Collection of IPv4 or IPv6 addresses or lists of addresses to compare against the packet destination address.

IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10

IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses, as defined in RFC 2373. For information about RFC 2373, see http://www.ietf.org/rfc/rfc2373.txt.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.

You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

To add an address or address list, click in the Address column, enter the address, and click Save. Or, click in the Address column, click the down arrow, and select from the displayed list.

When finished, click Save.

Port Collection of ports, port ranges, or lists of ports to compare against the packet destination port. Specify port ranges with a dash between the two ends of the range (for example: 80-88).

To add a port, port range, or port list, click in the Port column and enter the item. Or, click in the Port column, click the down arrow, and select from the displayed list.

When finished, click Save.

To remove a port, port range, or port list, right-click on the item, select Remove item, and click Save.

Action From the drop-down list, options include:
  • ACCEPT. Accept the current packet. The packet is compared to rules in the next appropriate context. The action allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall were not present.
  • ACCEPT DECISIVELY. Accept the current packet and do not compare the packet to any other firewall rules in any other context. The action allows packets with the specified source, destination, and protocol to pass through the firewall and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall were not present. CAUTION: This option is not available for global, route domain, and management firewall types only.
  • DROP. Silently drop the current packet. Nothing is sent back to the packet source. The packet is not compared with any other firewall rules. The action drops packets with the specified source, destination, and protocol. Dropping the packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • REJECT. Drop the current packet. For TCP-based protocols a TCP reset is sent to the source. For other protocols, reject is equivalent to drop. The action rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.

When finished, click Save.

Description Description for the current rule. To add a description, click in the column, enter text, and click Save.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the drop-down list and click Save.

If you select ICMP or IPv6-ICMP, a gear icon appears. Click the gear icon to display the screen that enables changing the Type code combinations for the ICMP and ICMPv6 protocols. The gear icon also appears if you select Other to enter the numeric value of the protocol.

The default Type is Any. The default Code is Any.

Type

  • For ICMP, you can choose from a list of control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can select Any to indicate that the system applies the rule for all ICMP messages. You can also select Other to specify an ICMP message not listed. The ICMP protocol contains definitions for the existing message type and number pairs.
  • For ICMPv6, you can choose from a list of control messages, such as Packet Too Big (2) and Time Exceeded (3), or you can select Any to indicate that the system applies the rule for all ICMPv6 messages. You can also select Other to specify an ICMPv6 message not listed. The ICMPv6 protocol contains definitions for the existing message type and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Type is Other, the number entered must be in the range of 0 and 255.

Code

  • For ICMP, this field specifies the code returned in response to the specified ICMP message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMP message. You can also select Other to specify a code not listed. The ICMP protocol contains definitions for the existing message code and number pairs.
  • For ICMPv6, this field specifies the code returned in response to the specified ICMPv6 message type. You can choose from a list of codes, each set appropriate to the associated type, such as No Code (0) (associated with Packet Too Big (2)) and fragment reassembly time exceeded (1) (associated with Time Exceeded (3)), or you can select Any to indicate that the system applies the rule for all codes in response to that specific ICMPv6 message. You can also select Other to specify a code not listed. The ICMPv6 protocol contains definitions for the existing message code and number pairs.

If the value selected for Type is Any, the selected Code must be Any.

If the value selected for Code is Other, the number entered must be in the range of 0 and 255.

State Specifies whether the rule is enabled, disabled, or scheduled. Click in the column and select an option from the drop-down list. The field is updated. Click Save when you are ready to save your changes.

If you select scheduled from the drop-down list, the Select Schedule drop-down is displayed in the screen. Select a schedule from this drop-down and click OK.

If a schedule has been assigned, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to invoke the Select Schedule popup screen.

If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.

Log Specifies whether or not the BIG-IP firewall software should write a log entry for any packets that match this rule. From the drop-down list, select true (log an entry) or false (do not log an entry). When finished, click Save.

To set or edit this setting, the discovered BIG-IP device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6.

When a new rule is added to a firewall through the BIG-IQ Security GUI, editing is enabled for the Log setting even for BIG-IP devices with versions earlier than 11.3 HF6.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)