Applies To:

Show Versions Show Versions

Manual Chapter: Managing Rules and Rule Lists
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Managing Rules and Rule Lists

About rules and rule lists

Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.

Rule lists are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.

Enabling, disabling and scheduling rules and rule lists

Once a rule or a rule list is created, you can set the state of that rule or rule list to enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is enabled. Settings on a rule list take precedence over those on a rule. For example, if a rule has a state of enabled, but is contained within a rule list that has a state of disabled, the rule used in that rule list will be disabled. The process differs for setting the state of a rule and setting the state of a rule list.

  • To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
  • To set the state for a rule list, edit the rule list, and right click the rule list name and select Edit Rule List Reference. The state can now be set by choosing enabled, disabled or scheduled in the State column.

Creating rules

To support a context or policy, you can create specific rules, gather those rules in a rule list, and assign the rule list to the context or policy.
  1. Click Configuration > SECURITY > Network Security.
  2. Select the object to which you want to add the rule:
    Option Description
    Rule list In the left pane, click Rule Lists to display the rule lists, then select the rule list to have the rule added.
    Context In the left pane, click Contexts to display the contexts, then select the context to have the rule added.
    Policy In the left pane, click Firewall Policies to display the firewall policies, then select the policy to have the rule added.
  3. Add the rule to the object:
    Option Description
    Rule list In the right pane, click Create Rule.
    Context In the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then click Create Rule.
    Policy In the right pane, click Create Rule.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  4. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing Add Rule before or Add Rule after.
  5. Click Save to save your changes.
  6. When you are finished, click Save & Close to save your edits.

Reorder rules in rule lists

You can optimize your network security firewall policy by reordering rules in rule lists to change the order in which they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number first, highest Id number last).
  1. Click Configuration > SECURITY > Network Security > Rule Lists.
  2. Click the specific rule list you want to edit in the right pane.
  3. On the left, click Rules to ensure that it is selected.
  4. Drag and drop the rules until they are in the correct order.
    If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting Copy Rule. Then, go to the new location for the rule, right-click, and select Paste Before or Paste After as appropriate. After the paste, delete the rule that you copied. You delete rules by right-clicking a rule and selecting Delete Rule.
    Alternatively, you can reorder rules using the Cut Rule option. Right-click the rule and select Cut Rule to select the rule for reordering, then move your cursor to the new position in the rule list, and select Paste Before or Paste After as appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.
    Note: You can use Copy Rule and then paste rules between rule lists. However, if you use Cut Rule and then paste between rule lists, the cut rule will not be removed from the rule list.
  5. When you are finished, click Save & Close to save your edits.

Removing rules

You can remove specific rules from rule lists, firewalls, or policies, to fine tune security policies.
Note: You can remove a rule even if it is the only rule in the rule list.
  1. You remove a rule based on the object that you remove it from:
    Option Description
    From a rule list In the left pane, expand Rules Lists and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to Properties and Rules options.
    From a firewall context In the left pane, expand Contexts, click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then click Rules & Rule Lists.
    From a policy In the left pane, expand Policies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to Properties and Rules & Rule Lists options. Select Rules & Rule Lists.
  2. Hover over the row containing the rule, and right-click.
  3. Select Delete rule and, if prompted, confirm the deletion.
  4. Click Save to save your changes.

Creating and adding rule lists

To support a specific firewall or policy, you can create a rule list and then assign it to the firewall context or policy.
  1. Click Configuration > SECURITY > Network Security.
  2. Click Rule Lists in the navigation pane on the left.
  3. In the Rule Lists pane on the right, click Create.
  4. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  5. Click Rules and create or add rules to the rule list.
  6. Click Save to save your changes or Save & Close to save your changed and exit the screen.
  7. Select the object in the Policy Editor to which you want to add the rule list:
    Option Description
    Context Select Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.
    Policy Select Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
  8. Add the rule list to the selected object:
    Option Description
    Context Click the enforced or staged policy to which the rule list should be added, then click Add Rule List, select from the rule lists in the popup dialog, and click Select.
    Policy Click Rules & Rule Lists, then click Add Rule List , then select from the rule lists in the popup dialog, and click Select.
    You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing add rule before or add rule after.
  9. When you are finished, click Save or Save & Close, as appropriate.

Editing rule lists

You can edit the content of rule lists, including the order of rules in rule lists.
  1. Click Configuration > SECURITY > Network Security > Rule Lists.
  2. Click the specific rule list you want to edit in the right pane.
  3. Click Properties.
    Option Description
    Name Informational, read-only field set when creating or cloning the rule list.
    Description Optional description.
    Partition Informational, read-only field set when creating or cloning the rule list.
  4. Click Rules, and click the name of the rule you want to edit.
  5. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing Add Rule before or Add Rule after.
  6. Complete fields as appropriate.
    To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting Copy Rule. Then, navigate to the new location for the rule, right-click, and select Paste Before or Paste After as appropriate. After the paste, delete the rule that you copied.
  7. Click Save to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.

Clearing fields in rules

You can clear the text from fields in rules to fine tune them and, in turn, rule lists and security policies.
  1. Click Configuration > SECURITY > Network Security.
  2. Expand Rule Lists and click the name of a rule list that you want to edit.
  3. On the left, click Rules to ensure that it is selected.
  4. Click the name of the rule containing the fields whose contents you want to remove.
  5. Not all fields can be cleared, but you can remove the contents of these fields as follows:
    Option Description
    Address (source or destination) Click the X to the right of the field.
    Port (source or destination) Click the X to the right of the field.
    VLAN Click the X to the right of the field.
    iRule Select a new iRule, or no iRule.
    Description Delete the contents of the field.
    Subscriber (ID or group)  Click the X to the right of the field.
  6. Click Save to save your changes.
  7. When you are finished, click Save & Close to save your edits.

Deploy rule lists

If you want to do a quicker deployment by only deploying the rule list portion of a configuration, you can do a partial deployment of the rule list, instead of deploying the entire configuration.
  1. Click Configuration > SECURITY > Network Security > Rule Lists.
    The Rule Lists screen opens.
  2. Click the check box next to the rule list you want included in the partial deployment.
  3. Click Deploy.
The system displays the selected rule list, with options for partial deployment selected.
Continue the partial deployment process.

Rename rule lists

You rename a rule list when you want to make that name more accurate or distinct. Renaming a rule list causes a new rule list to be created and the old rule list to be deleted in a single transaction. All references to the old rule list are updated to refer to the renamed rule list.
  1. Click Configuration > SECURITY > Network Security > Rule Lists.
  2. Select the check box next to the rule list to rename.
  3. Click Rename.
    A dialog box displays.
  4. Enter the new name in the dialog box and click Save.
    The BIG-IQ system shows the status of the renaming operation in the dialog box.
  5. Click Close to exit the dialog box.
The rule list has been renamed.

Cloning rule lists

Cloning enables you to create and customize rule lists to address unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list, which you can then edit to address any special considerations.
Note: Users with the roles of Network Security Viewer or Network Security Deployer cannot clone policies.
  1. Click Configuration > SECURITY > Network Security > Rule Lists..
    The Rule Lists screen opens.
  2. Click the checkbox to the left of the rule list to clone, and click Clone.
  3. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  4. Click Rules, edit the rules as required to configure the clone.
    You can also click Create Rule to add a new rule.
  5. When you are finished, click Save.
    If you click Cancel, the rule list is not cloned.
The cloned rule list is added alphabetically under Rule Lists. In a high-availability configuration, the cloned rule list is replicated on the standby system as soon as it is cloned.

Removing rule lists

You can remove rule lists from firewalls or policies to fine tune security policies.
  1. Click Configuration > SECURITY > Network Security.
  2. Click Rule Lists to display the rule list you want to remove, and then click the check box to the left of that rule list.
  3. At the top of the screen, click Delete.
  4. If it is safe to remove the rule list, a confirmation dialog box opens; click Delete to confirm.
    If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. Click Close to acknowledge this message, and then click Cancel in the Delete Rule Lists popup screen. To see where a rule list is used, right click the rule list name and select Filter 'related to'. A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click the x icon to the right of the search string.

Rule properties

This table describes the properties required when you are configuring network firewall rules.

Property Description
ID The evaluation order identifier of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered with the number of the rule list, with the contained rule numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as: 1, 2, 3, 4, 4.1, 4.2, 5. In the example, 4 represents the rule list, and 4.1 and 4.2 are the rules within that rule list.
Name In a rule list, the unique, user-provided name for the rule. Alternatively, in a firewall context or firewall policy, a rule list name, preceded by: Reference_To_ , such as Reference_To_sys_self_allow_all.
Address (Source or Destination) An IPv4 or IPv6 source or destination IP address, address range, or address list, to which the firewall rule applies.
  • Address specifies an IP address. You type a single address in the Addresses field.
  • Address Range specifies a range of IP addresses. You specify the beginning and ending addresses of the range in the areas provided.
  • Address List specifies a list that contains IP addresses. You can select the address list from those listed.
  • Domain Name specifies a valid domain name.
  • Country/Region specifies a country and optionally a region. Once you select a country, the second list automatically updates with all available regions for that country. You can specify Unknown as the country if needed. Note that geolocation information, such as the country and region, is not supported on the management IP firewall context.
Note: You can specify subnets using forward slash (/) notation using either IPv4 or IPv6, such as 60.63.10.0/24 or 2001:db8:a::/64. You can also append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.

You can add additional addresses, address ranges, address lists, or countries/regions (Add) and delete addresses, address ranges, address lists, or countries/regions (X). To recover an address that was marked for deletion using X, re-enter the address and click Add.

Port (Source or Destination) Specifies source or destination port entries (ports, port ranges, or port lists) to which the firewall rule applies.
  • Port specifies a port number.
  • Port Range specifies a range of port numbers. You specify the beginning and ending port numbers in the range in the areas provided.
  • Port List specifies a list of port entries, such as ports or port ranges. You can select the port list from those listed.

You can add additional ports, port ranges, or port lists (Add) and to delete ports, port ranges, or port lists (X). To recover a port that was marked for deletion using X, re-enter the port and click Add.

VLAN (Source) Specifies a VLAN or tunnel from which the packet source originates, to which the rule applies. This VLAN is physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external.
Subscriber (Source) Select a subscriber or subscriber group to which the rule applies. Leaving all address fields blank applies the rule to all addresses and all ports.
  • ID. Type the subscriber ID in the Name field.
  • Group. Type the subscriber Group in the Name field.
You can specify a wildcard for either subscribers or subscriber groups by selecting Unknown or Uncertain. The difference between Unknown and Uncertain is subtle. Unknown means that the session has been provisioned (via PCRF) but the subscriber and/or subscriber group is not known. Uncertain means that the session has not been provisioned and thus there is no subscriber and/or subscriber group information.

Options are provided to add additional subscribers or subscriber groups. (Add) and to delete subscribers or subscriber groups (X). To recover a subscriber that was marked for deletion using X, re-enter the subscriber and click Add. When you are finished, save your work.

Action Specifies the action taken when the firewall rule is matched, such as whether it is accepted or rejected.
  • Accept allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  • Accept decisively allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
  • Drop drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • Reject rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
iRule Specifies an iRule that is applied to the rule. Optionally, you can enter a number in the Sampling Rate field to indicate how often to take a sample.

iRules® use syntax based on the industry-standard Tools Command Language (Tcl). For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules. For more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html. Note that iRules are not supported on the management IP context.

Protocol Specifies the IP protocol to compare against the packet.

If you select ICMP, or IPv6-ICMP, additional fields open where you can specify Type and Code combinations. If you select Other, only a Type field is displayed. The default type is Any and the default code is Any.

Note: The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com, or the documentation for the specific BIG-IP® platform.
State Specifies the activity state of the rule, such as whether it is enabled or disabled.
  • disabled specifies that the rule does not apply at all.
  • enabled specifies that the system applies the firewall rule to the given context and addresses.
  • scheduled specifies that the system applies the rule according to the specified schedule.
Send to Virtual Specifies a virtual server to which packets matched by the firewall rule classifiers are routed. When a firewall rule is routed to a virtual server, the firewall rule action is not applied. This option is available only for rules on the global, route domain, or self IP context.
Service Policy Specifies a service policy to associate with a rule. A service policy allows you to associate network idle timers or timer policies with firewall contexts and rules. You can add a service policy to a rule by dragging the service policy from the Shared Objects area onto the Service Policy column for the rule. This field is available with BIG-IP devices version 12.0 or higher.
Log Specifies whether the firewall software should write a log entry for any packets that match this rule. From the list, select true (log an entry), or false (do not log an entry).
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)