Manual Chapter : Firewall Rules and Rule Lists

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.0.1, 13.0.0
Manual Chapter

About firewall rules

The BIG-IP® Network Firewall uses rules to specify traffic handling actions. Rules are collected in policies, which are applied at the global context, to a route domain, to a virtual server, or to a self IP address. Rules for the management port do not require a policy, but are defined directly in the management port context.

A rule includes:

Context
The category of object to which the rule applies. Rules can be global and apply to all addresses on the BIG-IP system that match the rule, or they can be specific, applying only to a specific virtual server, self IP address, route domain, or the management port.
Rule or Rule List
Specifies whether the configuration applies to this specific rule, or to a group of rules.
Source Address
One or more addresses, geographic locations, or address lists to which the rule applies. The source address refers to the packet's source.
Source Port
The ports or lists of ports on the system to which the rule applies. The source port refers to the packet's source.
VLAN
Specifies VLANs to which the rule applies. The VLAN source refers to the packet's source.
Destination Address
One or more addresses, geographic locations, or address lists to which the rule applies. The destination address refers to the packet's destination.
Destination Port
The ports or lists of ports to which the rule applies. The destination port refers to the packet's destination.
iRule
Specifies an iRule that is applied to the rule. An iRule can be started when the firewall rule matches traffic.
iRule sampling
When you select an iRule to trigger in a firewall rule, you can select the how frequently the iRule is triggered, for sampling purposes. The value you configure is one out of n times the iRule is triggered. For example, set this field to 5 to trigger the iRule one out of every five times the rule matches a flow.
Protocol
The protocol to which the rule applies. The firewall configuration allows you to select one specific protocol from a list of more than 250 protocols. The list is separated into a set of common protocols, and a longer set of other protocols. To apply a rule to more than one protocol, select Any.
Schedule
Specifies a schedule for the firewall rule. You configure schedules to define days and times when the firewall rule is made active.
Action
Specifies the action (accept, accept decisively, drop, or reject) for the firewall rule.
Logging
Specifies whether logging is enabled or disabled for the firewall rule.

Task list

Firewall actions

These listed actions are available in a firewall rule.

Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.

Firewall action Description
Accept Allows packets with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
Reject Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. For example, if the protocol is TCP, a TCP RST message is sent. One benefit of using Reject is that the sending application is notified, after only one attempt, that the connection cannot be established.
Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted decisively, traverse the system as if the firewall is not present, and are not processed by rules in any further context after the accept decisively action applies. If you want a packet to be accepted in one context, and not to be processed in any remaining context or by the default firewall rules, specify the accept decisively action. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from that Network A, to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.

About Network Firewall contexts

With the BIG-IP® Network Firewall, you use a context to configure the level of specificity of a firewall policy. For example, you might make a global context rule to block ICMP ping messages, and you might make a virtual server context rule to allow only a specific network to access an application.

Context is processed in this order:

  1. Global
  2. Route domain
  3. Virtual server/self IP
  4. Global drop or reject

The firewall processes policies and rules in order, progressing from the global context, to the route domain context, and then to either the virtual server or self IP context. Management port rules are processed separately, and are not processed after previous rules. Rules can be viewed in one list, and viewed and reorganized separately within each context. You can enforce a firewall policy on any context except the management port. You can also stage a firewall policy in any context except management. Management port rules are configured as inline rules specific to the management port.

Important: You can configure the global drop or reject context. The global drop or reject context is the final context for all traffic, except Management port traffic. Note that even though it is a global context, it is not processed first, like the main global context, but last. If a packet matches no rule in any previous context, the global drop or reject rule drops or rejects the traffic. The default global rule is global reject.
Note: Management port traffic is not affected by the global drop or reject rule, or by global rules in general. Management port rules must be specifically configured and applied.
Firewall context processing hierarchy example

Firewall context processing hierarchy example

Firewall context descriptions

When you create a firewall rule, you can select one of these listed contexts. Each context forms a list of rules. Contexts are processed in heirarchical order, and within each context, rules are processed in numerical order..

Firewall context Description
Global Global policy rules are collected in this firewall context. Global rules apply to all traffic that traverses the firewall, and global rules are checked first.
Route Domain Route domain policy rules are collected in this context. Route domain rules apply to a specific route domain defined on the server. Route domain policy rules are checked after global rules. If you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context; however, if you configure another route domain after this, Route Domain 0 is no longer usable as a global context.
Virtual Server Virtual server policy rules are collected in this context. Virtual server policy rules apply to the selected existing virtual server only. Virtual server rules are checked after route domain rules.
Self IP Self IP policy rules apply to a specified self IP address on the device. Self IP policy rules are checked after route domain rules.
Management Port The management port context collects firewall rules that apply to the management port on the BIG-IP® device. Management port rules are checked independently of other rules and are not processed in relation to other contexts.
Global Reject The Global Reject rule rejects all traffic that does not match any rule in a previous context, excluding Management Port traffic, which is processed independently.

Creating a network firewall management port rule

If you are going to specify address lists, user lists, or port lists with this rule, you must create these lists before creating the firewall rule, or add them after you save the rule.
Create a network firewall management port rule to manage access from an IP or web network address to the BIG-IP® management port.
Note: You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list.
Important: You can only add management port rules as inline rules. For all other contexts, you must add rules to policies.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. In the Rules area, click Add to add a firewall rule to the list.
  3. From the Context list, select Management Port.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  6. From the Schedule list, select the schedule for the firewall rule.
    This schedule is applied when you set the firewall rule state as Scheduled.
  7. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. In the Source list, specify addresses and geolocated sources to which this rule applies.
    • From the Address/Region list, select Any to have the rule apply to any packet source IP address or geographic location.
    • From the Address/Region list, select Specify and click Address to specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the Address field, then click Add to add them to the address list.
    • From the Address/Region list, select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • From the Address/Region list, select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • From the Address/Region list, select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  9. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  10. From the Destination Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses FQDNs into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
  11. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  12. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  13. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  14. Click Finished.
    The list screen and the new item are displayed.
The new firewall rule is created.

About redundant and conflicting rules

When you create rules on the network firewall, it is possible that a rule can either overlap or conflict with an existing rule.

Redundant rule
A rule which has address, user, region, or port information that completely overlaps with another rule, with the same action. In the case of a redundant rule, the rule can be removed with no net change in packet processing because of the overlap with a previous rule or rules.
Conflicting rule
A conflicting rule is a special case of a redundant rule, in which address, user, region or port information overlaps with another rule, but the rules have different actions, and thus conflict.
Tip: A rule might be called conflicting even if the result of each rule is the same. For example, a rule that applies to a specific IP address is considered in conflict with another rule that applies to the same IP address, if one has an Accept action and the other has an action of Accept Decisively, even though the two rules accept packets.

On a rule list page, redundant or conflicting rules are indicated in the State column with either (Redundant) or (Conflicting).

Viewing and removing redundant and conflicting rules

You must have staged or enforced rules configured on your system that are redundant or conflicting.
View and remove redundant or conflicting rules to simplify your configuration and ensure that your system takes the correct actions on packets.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Type list, select whether you want to view Enforced or Staged policies.
    Note: If you select to view Staged policies, you can not view management port rules, as they cannot be staged.
  3. View the firewall rule states in the State column.

    Each rule is listed as Enabled, Disabled, or Scheduled. In addition, a rule can have one of the following states. View and adjust rules with these states, if necessary.

    (Redundant)
    The rule is enabled, disabled, or scheduled, and redundant. All the functionality of this rule is provided by a previous rule or rules. Hover over the State column to see why the rule is considered redundant, and possible solutions. Typically you can disable or delete a redundant rule with no net effect on the system.
    (Conflicting)
    The rule is enabled, disabled, or scheduled, and conflicting. All the match criteria of this rule is covered by another rule or rules, but this rule has a different action. Hover over the State column to see why the rule is considered conflicting, and possible solutions. Typically you should disable or delete a conflicting rule. Because the rule criteria is matched prior to the conflicting rule, there it typically no net change in processing. Note that the Accept and Accept Decisively actions are treated as conflicting by the system.
    (Conflicting & Redundant)
    The rule is enabled, disabled, or scheduled, and conflicting or redundant with the actions of more than one other rule. Typically you should disable or delete a conflicting and redundant rule.
  4. Resolve conflicting or redundant rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.

About stale rules

On the rule list page, you can determine whether a rule is stale, infrequently used, or never used. A stale rule is one that has not been hit in a long time. In addition, a rule might never be hit, or might be hit infrequently.

Note: Use discretion when tuning rules, and delete rules only when you are sure they are no longer needed.

On the active rules page, or the page of rules for a policy, the Count column displays the number of times a rule has been hit. A count of 0 might indicate a rule that will never be hit, and can be removed without changing packet processing. A rule with a low count, when other rules have a high count, might indicate a rule that is stale, and no longer needed.

Use the Latest Match column to confirm rule status. A status of Never indicates the rule has never been matched, and might be irrelevant. A very long time since the last match indicates a rule that is likely no longer needed.

You can view stale rules from the stale rules reporting page. Go to Security > Reporting > Network > Stale Rules .

Viewing and removing unused or infrequently used rules

You must have staged or enforced rules configured on your system, and the system must be processing traffic, to determine whether rules are hit.
View and remove infrequently used or unused rules to reduce firewall processing and simplify your rules, rule lists, and policies.
CAUTION:
Before you remove a rule that is infrequently hit, or never hit, make sure that doing so will not create a security issue. A rule might be hit infrequently, but might still be a required part of your security stance for a specific or rare attack.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Type list, select whether you want to view Enforced or Staged policies.
    Note: If you select to view Staged policies, you can not view management port rules, as they cannot be staged.
  3. View the rule hit count in the Count column.
    The rule hit count shows how many total times a rule hit has occurred. A very low number indicates that the rule is infrequently hit. A count of 0 indicates the rule has never been hit.
  4. View the latest match date in the Latest Match column.
    The latest match column lists the last time the rule was hit. An old date indicates that the rule has not been hit in a long time. Never indicates that the rule has never been hit.
  5. Resolve infrequently hit rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.

About firewall rule lists

The BIG-IP® Network Firewall uses rule lists to collect multiple rules. Rule lists function differently depending on how you create them with Advanced Firewall Manager™ (AFM™).

If you create a rule list with Security > Network Firewall > Rule Lists > Create :
This type of rule list is defined with a name and optional description. Once you create a rule list of this type, you can create and add one or more individual firewall rules to it. You can only add firewall rules by creating them from within the rule list. This type of rule list cannot be used on its own, but must be selected in an Active Rules list, or in a Policy Rules list.
If you create a rule list with Security > Network Firewall > Active Rules > Add and select the Type as Rule List:
This type of rule list is defined with a name and optional description. You can specify a context (Global, Route Domain, Virtual Server, or Self IP). However, you cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in the configuration.
If you create a rule list with Security > Network Firewall > Policies > policy_name > Add and select the Type as Rule List:
This type of rule list is defined with a name and optional description. You cannot specify a context as the context is determined by the policy. You cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in a policy.

Creating a network firewall rule list

Create a network firewall rule list, to which you can add firewall rules.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. Click the Create button to create a new rule list.
  3. In the Name and Description fields, type the name and an optional description.
  4. Click Finished.
    The empty firewall rule list is displayed.
Add firewall rules to the rule list to define source, destination, and firewall actions.
Adding a Network Firewall rule to a rule list
Before you add a firewall rule to a rule list, you must create a rule list.
Add a network firewall rule to a rule list so you can collect rules and apply them at once in a policy.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. From the list, click the name of a rule list you previously created.
    The Rule List properties screen opens.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Order list, set the order for the firewall rule.
    You can specify that the rule be first or last in the rule list, or before or after a specific rule.
  6. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  7. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. If you select ICMP or ICMPv6 as the rule protocol, add ICMP message types and codes in the fields that appear.

    If you do not specify specific ICMP/ICMPv6 message types and codes, the rule applies to any ICMP or ICMPv6 message type.

    • In the ICMP/ICMPv6 Message area, select an ICMP message type from the Type list, and select an ICMP message code from the Code list.
    • Click Add to add the message type and code to the firewall rule.
  9. From the Schedule list, select the schedule for the firewall rule.
    This schedule is applied when you set the firewall rule state as Scheduled.
  10. In the Source list, specify addresses and geolocated sources to which this rule applies.
    • From the Address/Region list, select Any to have the rule apply to any packet source IP address or geographic location.
    • From the Address/Region list, select Specify and click Address to specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the Address field, then click Add to add them to the address list.
    • From the Address/Region list, select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • From the Address/Region list, select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • From the Address/Region list, select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  11. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  12. From the Source VLAN/Tunnel list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list. Similarly, you can remove the VLAN from this rule, by moving the VLAN from the Selected list to the Available list.
  13. In the Destination area and from the Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  14. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  15. Optionally, to apply an iRule to traffic matched by this rule, from the iRule list, select an iRule.
  16. When you select an iRule to start in a firewall rule, you can enable iRule sampling, and select how frequently the iRule is started, for sampling purposes. The value you configure is one out of n times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, select Enabled, then set this field to 5.
  17. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  18. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  19. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the Rules list.
Activating a rule list in a policy
The rule list is a container in which you can select and activate one of the rule lists that you created previously, or one of the predefined system rule lists, to apply a collection of rules at one time, to a policy.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens.
  3. In the Rules area, click Add to add a firewall rule list to the policy.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Order list, set the order for the firewall rule.
    You can specify that the rule be first or last in the rule list, or before or after a specific rule.
  6. From the Type list, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list.
    Note: If you create a firewall rule from a predefined rule list, only the Name, Description, Order, Rule List, and State options apply, and you must select or create a rule list to include.
  7. From the Rule List setting, select a rule list to activate in the policy or configuration.
  8. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  9. Click Finished.
    The list screen and the new item are displayed.
The firewall rule list you selected is activated.