Manual Chapter : Network Firewall Inline Rule Editor

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Using the inline firewall rule editor

The BIG-IP® Network Firewall uses rules to specify traffic handling actions. The inline rule editor provides an alternative way to create and edit rules within a policy, on a single page. The advantage to this type of rule editing is that it provides a simpler and more direct overview of both a rule and the entire policy. You can edit an inline rule for any context. The inline rule editor is available only from the Active Rules page.

When using the inline rule editor, the information presented in a firewall rule is simplified to the following categories:

Name
You must specify a name for the rule. You can also specify an optional description.
State
You can enable, disable, or schedule a firewall rule. These states govern whether the rule takes an action, does not take an action, or takes an action only during specific days and times.
Protocol
Specify a protocol to which the firewall rule applies. By default, the rule is TCP.
For ICMP or ICMPv6 protocols, you can specify one or more ICMP types and codes.
Source
A rule can include any number of sources, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, fully qualified domain names, geographic locations, VLANs, address lists, ports, port ranges, port lists, subscribers, subscriber groups, and address lists.
Destination
A rule can include any number of destinations, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, FQDNs, geographic locations, VLANs, address lists, ports, port ranges, port lists, and address lists.
Actions
Specifies an action that applies when traffic matches the rule. The standard rule actions apply (Accept, Drop, Reject, and Accept Decisively). In addition, you can set the rule to start an iRule when the firewall rule matches traffic, and apply timeouts from a service policy to traffic that matches the rule.
Send to Virtual
Specifies a virtual server to which to send traffic that matches the rule. This option is not available for rules that are already at the virtual server context. Traffic that is sent to a virtual server is then evaluated by DDoS rules and firewall rules on that virtual server instead of according to the original rule. Staged rules are also evaluated based on the destination virtual server instead of the originating rule.
Protocol Inspection Profile
Specifies a protocol inspection profile to associate with the firewall rule. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
Classification Policy
Specifies a classification policy to associate with the firewall rule.
Logging
Specifies whether logging is enabled or disabled for the firewall rule.

Task list

Enabling the Network Firewall inline rule editor

Enable the inline rule editor to edit rules in place within policies.
Note: You can either edit rules with the inline editor or with the standard editor, but not both. You can switch back to the standard rule editor at any time.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. Next to Inline Rule Editor, select Enabled.
  3. Click Update.
    The inline firewall rule editor is enabled.

Creating a rule with the inline editor

The Network Firewall Inline Rule Editor option must be enabled to create a rule with the inline rule editor. If you are going to specify address lists, port lists, custom iRules®, virtual servers, or service policies to use with this rule, you must create these before you edit the firewall rule, or add them to the rule at a later time.
You edit a Network Firewall policy rule to change course, destination, actions, order, or other items in a firewall rule.
Note: You cannot add rules (created with these steps) to a rule list at a later time. You must create rules for a rule list from within the rule list. Similarly, you cannot use the rules created in a policy to apply as inline rules in another context, although you can use rule lists in a policy rule.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of the network firewall policy to which you want to add rules. If you want to create a policy, click Create, name the policy, and click Finished.
  3. Click Add Rule to add a firewall rule to the policy.
    A blank rule appears in the policy.
  4. In the Name column, type the name and an optional description in the fields.
  5. In the State column, select the rule state.
    • Select Enabled to apply the firewall rule or rule list to the addresses and ports specified.
    • Select Disabled to set the firewall rule or rule list to not apply at all.
    • Select Scheduled to apply the firewall rule or rule list according to the selected schedule.
  6. If you select Scheduled, from the Schedule list, select the schedule for the firewall policy rule.
    This schedule is applied when the firewall policy rule state is set to Scheduled.
    Note: You cannot save a scheduled rule when the firewall compilation or deployment mode is manual.
  7. In the Protocol column, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. In the Source field, begin typing to specify a source address.
    As you type, options will appear that match your input. Select the source option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled add new source. A source address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Subscriber
    • Subscriber group
    • Address list
  9. In the Destination field, begin typing to specify a destination address.
    As you type, options will appear that match your input. Select the destination option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled add new destination.
    A destination address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Address list
  10. Optionally, to apply an iRule to traffic matched by this rule, from the iRule list, select an iRule.
  11. When you select an iRule to start in a firewall rule, you select how frequently the iRule is started, for sampling purposes. The value you configure is one out of n times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, set this field to 5. To trigger the rule every time the rule matches a flow, set this field to 1.
  12. Optionally, to send traffic matched by this rule to a specific virtual server, from the Send to Virtual list, select the virtual server.
    Important: Traffic that is sent to a virtual is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  13. To apply custom timeouts or port misuse profiles to flows that match this rule, from the Service Policy field, specify a service policy.
  14. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  15. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  16. In the Logging column, check Logging to enable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  17. Click Commit Changes to System.
    The policy with the updated rule is displayed.
The new firewall rule is created and displayed on the firewall policy screen.

Editing a rule with the inline editor

The Network Firewall Inline Rule Editor option must be enabled to edit a rule with the inline rule editor. If you are going to specify address lists, port lists, custom iRules®, or service policies to use with this rule, you must create these before you edit the firewall rule, or add them at a later time.
Edit a network firewall rule to change source or destination components, the rule action, iRules, rule order, and other settings.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of the network firewall policy to which you want to add rules.
  3. To reorder a rule in a policy, click and hold anywhere in the rule row, and drag the rule to a new position within the list.
  4. To quickly enable or disable a rule in a policy, click the check box next to the rule ID and click the Enable or Disable button, then click Commit Changes to System.
  5. In the Description field, type or change the optional description.
  6. In the State column, select the rule state.
    • Select Enabled to apply the firewall rule or rule list to the addresses and ports specified.
    • Select Disabled to set the firewall rule or rule list to not apply at all.
    • Select Scheduled to apply the firewall rule or rule list according to the selected schedule.
  7. If you select Scheduled, from the Schedule list, select the schedule for the firewall policy rule.
    This schedule is applied when the firewall policy rule state is set to Scheduled.
    Note: You cannot save a scheduled rule when the firewall compilation or deployment mode is manual.
  8. In the Protocol column, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select Other and type the port number if the protocol is not listed.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  9. In the Source field, begin typing to specify a source address.
    As you type, options will appear that match your input. Select the source option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled add new source. A source address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Subscriber
    • Subscriber group
    • Address list
  10. In the Destination field, begin typing to specify a destination address.
    As you type, options will appear that match your input. Select the destination option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled add new destination.
    A destination address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Address list
  11. Optionally, to apply an iRule to traffic matched by this rule, from the iRule list, select an iRule.
  12. When you select an iRule to start in a firewall rule, you select how frequently the iRule is started, for sampling purposes. The value you configure is one out of n times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, set this field to 5. To trigger the rule every time the rule matches a flow, set this field to 1.
  13. Optionally, to send traffic matched by this rule to a specific virtual server, from the Send to Virtual list, select the virtual server.
    Important: Traffic that is sent to a virtual is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  14. To apply custom timeouts or port misuse profiles to flows that match this rule, from the Service Policy field, specify a service policy.
  15. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  16. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  17. In the Logging column, check Logging to enable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  18. Click Commit Changes to System.
    The policy with the updated rule is displayed.
The firewall rule is modified.