You must be logging Network Firewall traffic to create a rule from the Network Firewall logs.
You can create a rule from the local log, from an enforced or staged rule or policy. You
might use this to change the action taken on specific traffic that is matched by a more general
rule. You can also use this to replicate a rule and change some parameter, such as the source or
destination ports. Note that the rule you create from a log entry already has some information
specified, such as source and destination address and ports, protocol, and VLAN. You can change
any of this information as required.
-
On the Main tab, click
.
The Network Firewall event log displays.
-
Select the search parameters to show the preferred log results, then click
Search.
-
Select a log entry, and click Create Rule.
-
From the Context list, select the
context for the firewall rule.
For a firewall rule in a rule list, the
context is predefined and cannot be changed.
-
In the Name and Description fields, type the
name and an optional description.
-
From the Type list, select whether you
are creating a standalone network firewall rule or creating the rule from a
predefined rule list.
Note: If you create a firewall rule from a predefined rule
list, only the Name, Description, Order, Rule
List, and State options apply, and you must select or create a rule
list to include.
-
From the State list, select the rule
state.
- Select Enabled to apply the
firewall rule to the given context and addresses.
- Select Disabled to set the
firewall rule to not apply at all.
- Select Scheduled to apply the
firewall rule according to the selected schedule.
-
From the Schedule list, select the
schedule for the firewall rule.
This schedule is applied when you set the
firewall rule state as Scheduled.
-
From the Protocol list, select the
protocol to which the firewall rule applies.
- Select Any to apply the firewall
rule to any protocol.
- Select the protocol name to apply the rule
to a single protocol.
Important: ICMP is handled by the BIG-IP system at the global or
route domain level. Because of this, ICMP messages receive a response before
they reach the virtual server context. You cannot create rule for ICMP or
ICMPv6 on a self IP or virtual server context. You can apply a rule list to
a self IP or virtual server that includes a rule for ICMP or ICMPv6;
however, such a rule will be ignored. To apply firewall actions to the ICMP
protocol, create a rule with the global or route domain context.
ICMP rules are evaluated only for ICMP forwarding requests, and not for the
IP addresses of the BIG-IP system itself.
-
In the Source list, specify users
and groups to which this rule applies.
- From the User list, select
Any to have
the rule apply to any user.
- From the User list, select
Specify and
click User,
Group, or
User List to
specify a user, group, or user list packet source to which the rule applies.
When selected, you can type a user or group name in the format domain\user_name or
domain\group_name. You can specify a user list by selecting
it from the list. Click Add to add a selected user, group, or user list to the
packet source list.
-
In the Source list, specify
addresses and geolocated sources to which this rule applies.
- From the Address/Region list,
select Any to have
the rule apply to any packet source IP address or geographic
location.
- From the Address/Region list,
select Specify and
click Address to
specify one or more packet source IP addresses or fully qualified domain
names (FQDNs) to which the rule applies. When selected, you can type single
IP addresses or FQDNs into the Address field, then click Add to add them to the
address list.
- From the Address/Region list,
select Specify and
click Address List
to select a predefined list of packet source addresses to which the rule
applies. To use an address list with this rule, select the address list and
click the Add
button. Similarly, to remove the list from this rule, select the list and
click the Delete
button.
- From the Address/Region list,
select Specify and
click Address
Range to specify a contiguous range of packet source IP
addresses to which the rule applies. When selected, you can type a start and
end IP address in the fields, then click Add to add the IP address
range to the address list.
- From the Address/Region list,
select Specify and
click Country/Region to identify the geographic origin of packet
sources, and to apply rules based on selected geographic locations. When
selected, a field appears in which you can select a country. For many
countries, an extra field appears after you select the country, in which you
can select a state or province. If you do not select a specific state or
province, the entire country is selected. After you select a geographic
location, click Add to add it to the Source address list.
-
From the Source Port list, select the type of
packet source ports to which this rule applies.
- Select Any to have the rule
apply to any packet source port.
- Select Specify and click
Port to
specify one or more packet source ports to which the rule applies. When
selected, you can type single port numbers into the Port field, then click
Add to add
them to the port list.
- Select Specify and click
Port Range to
specify a list of contiguous packet source port numbers to which the rule
applies. When selected, you can type the start and end ports into the
fields, then click Add to add the ports to the port list.
- Select Specify and click
Port List to
select a predefined list of packet source ports to which the rule applies.
To use a port list with this rule, select the port list and click the
Add button.
Similarly, to remove the list from this rule, select the list and click the
Delete
button.
-
From the Source VLAN/Tunnel list, select the
VLAN on which this rule applies.
- Select Any to have the rule
apply to traffic on any VLAN through which traffic enters the
firewall.
- Select Specify to specify one or
more VLANs on the firewall to which the rule applies. To use a VLAN with
this rule, move the VLAN from the Available list to the
Selected list.
Similarly, you can remove the VLAN from this rule, by moving the VLAN from
the Selected list
to the Available
list.
-
In the Destination area and from the Address/Region list, select
the type of packet destination address to which this rule applies.
- Select Any to have the rule
apply to any IP packet destination address.
- Select Specify and click
Address to
specify one or more packet destination IP addresses or fully qualified
domain names (FQDNs) to which the rule applies. When selected, you can type
single IP addresses or FQDNs into the Address field, then click
Add to add
them to the address list.
- Select Specify and click
Address List
to select a predefined list of packet destination addresses to which the
rule applies. To use an address list with this rule, select the address list
and click the Add
button. Similarly, to remove the list from this rule, select the list and
click the Delete
button.
- Select Specify and click
Address Range
to specify a contiguous range of packet destination IP addresses to which
the rule applies. When selected, you can type a start and end IP address in
the fields, then click Add to add the IP address range to the address
list.
- Select Specify and click
Country/Region
to identify the geographic packet destination, and to apply rules based on
specific geographic locations. When selected, a field appears in which you
can select a country. For many countries, an extra field appears after you
select the country, in which you can select a state or province. If you do
not select a specific state or province, the entire country is selected.
After you select a geographic location, click Add to add it to the
Destination address list.
-
From the Destination Port list, select the type of
packet destination ports to which this rule applies.
- Select Any to have the rule
apply to any port inside the firewall.
- Select Specify and click
Port to
specify one or more packet destination ports to which the rule applies. When
selected, you can type single port numbers into the Port field, then click
Add to add
them to the port list.
- Select Specify and click
Port Range to
specify a list of contiguous packet destination port numbers to which the
rule applies. When selected, you can type the start and end ports into the
fields, then click Add to add the ports to the port list.
- Select Specify and click
Port List to
select a predefined list of packet destination ports to which the rule
applies. To use a port list with this rule, select the port list and click
the Add button.
Similarly, to remove the list from this rule, select the list and click the
Delete
button.
-
Optionally, to apply an iRule to traffic matched
by this rule, from the iRule list, select an iRule.
-
When you select an iRule to start in a firewall
rule, you can enable iRule sampling, and select how frequently the iRule is
started, for sampling purposes. The value you configure is one out of n times the
iRule is triggered. For example, to trigger the iRule one out of every five
times the rule matches a flow, select Enabled, then set this field
to 5.
-
From the Action list, select the
firewall action for traffic originating from the specified source address on the
specified protocol. Choose from one of the these actions:
Option |
Description |
Accept
|
Allows packets with the
specified source, destination, and protocol to pass through the
firewall. Packets that match the rule, and are accepted, traverse the
system as if the firewall is not present. |
Drop
|
Drops packets with the
specified source, destination, and protocol. Dropping a packet is a
silent action with no notification to the source or destination systems.
Dropping the packet causes the connection to be retried until the retry
threshold is reached. |
Reject
|
Rejects packets with the
specified source, destination, and protocol. When a packet is rejected
the firewall sends a destination unreachable message to the sender.
|
Accept
Decisively
|
Allows packets with the
specified source, destination, and protocol to pass through the
firewall, and does not require any further processing by any of the
further firewalls. Packets that match the rule, and are accepted,
traverse the system as if the firewall is not present. |
-
From the Logging list, enable or
disable logging for the firewall rule.
A logging profile must be enabled to
capture logging info for the firewall rule.
-
Click Finished.
The list screen and the new
item are displayed.
The new firewall policy rule is created from the log entry.