AFM Network Firewall uses industry standard firewall policies containing ordered lists of firewall rules or rule lists. Network Firewall policies control network access to your data center using the criteria specified in the associated rules or rule lists. Once created, BIG-IP AFM network firewall policies are applied to BIG-IP system access points, or contexts, such as a virtual server, Self IP address or the entire device at the global context.
You can also stage a firewall policies in any contexts. This allows you to view hit rate statistics and verify the potential impact a new policy may have on traffic processing.
Management port rules are configured directly on the management port context itself, as a result, policies can not be associated with the management port.
Because AFM Network Firewall policies can be applied to a variety of different contexts and policies may at times overlap, it is important to understand the order of processing for each context.
|Order processed||Firewall context||Description|
|1st||Global||Applies to all traffic being processed.|
|2nd||Route Domain||Applies to a specific route domain.|
|3rd||Virtual Server/Self IP||Applies to a virtual server or Self IP address.|
|Independent||Management Port||Applied to the BIG-IP system management port.|
AFM Network Firewall processes policies in order, progressing from the global, to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port.
These listed actions are available in a firewall rule.
AFM Network Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.
|Accept||Packets that match the rule are accepted and traverse the system as if the firewall is not present.|
|Drop||Packets that match the rule are dropped. Dropping a packet is a silent action with no notification to the source system. This causes the connection to be retried until the retry threshold is reached.|
|Reject||Packets that match the rule are rejected. Rejecting a more graceful way to deny packets as it sends a destination unreachable message to the source system.|
|Accept Decisively||Packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from Network A to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.|
To improve troubleshooting and auditing, firewall rules can be identified using a 32 character Universally Unique Identification Number (UUID). For example:
The following table lists some of the UUID behaviors as they relate to the BIG-IP system.
|High-availability (HA)||UUIDs are shared between devices in an HA configuration|
|Configuration||UUIDs remain in the configuration. They can be restored with a UCS installation for example.|
|Logging||UUID logging can be enabled, allowing you to match events to specific rules.|
|Editing||UUIDs can not be edited.|
|Resource utilization||UUID generation and logging slightly increase CPU utilization and disk space utilization.|
You can enable UUIDs per rule, or enable UUID generation to automatically occur when a new rule is created. To enable automatic UUID creation for all rules, navigate to.
These listed options are available in a firewall rule.
AFM Network Firewall rule options are used to designate very specific packet matching criteria and the action to take once a packet match is made.
|Firewall rule option||Description|
|Name||Specify the name of the rule.|
|Auto Generate UUID||Identify each firewall rule with a 36 character Universally Unique Identification Number (UUID).|
|Description||Specify descriptive text for the rule.|
|Order||Specify the order of the rule in the list.|
|State||Specify the state of the rule. Options include:
|Protocol||Specify the protocol to which the rule applies. Options include over 250 protocols.|
|Source||Specify the packet source to which the rule applies. Options include:
|Destination||Specify the packet destination to which the rule applies. This includes IPv4 / IPv6 addresses or geographical regions.|
|iRule||Specify an iRule to execute when the rule is matched.|
|Action||Specify a standard firewall rule action: Accept, Drop, Reject or Accept Decisively.|
|Send to Virtual||Specify a virtual server to which matching traffic is sent. This option is only available for rules used in global or route domain contexts.|
|Logging||Specify whether logging is enabled or disabled for the firewall rule.|
|Service Policy||Specify a service policy that applies when the rule is matched.|
|Protocol Inspection Profile||Specify a protocol inspection profile that applies when the rule is matched.|
|Classification Policy||Specify a classification policy that applies when the rule is matched.|
AFM Network Firewall uses rule lists to collect multiple firewall rules. While you can create firewall policies containing multiple firewall rule entries, F5 recommends creating and associating rule lists with your firewall policies to simplify administration.