F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. BIG-IQ Centralized Management: Security
  5. Managing Service and Timer Policies
Manual Chapter : Managing Service and Timer Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About service and timer policies

A service policy allows you to associate network idle timers on firewall contexts and rules.

You can discover a service policy on a BIG-IP® device version 12.0 or later, or create one on a BIG-IQ® system using the Network Security Policy Editor and then deploy it to a BIG-IP device version 12.0 or later.

A service policy contains a timer policy, also known as a firewall idle timer, which contains timer rules that can be associated with firewall contexts and rules. A service policy can be applied to the global, self IP address, or route domain context. It can also be added to a rule in a rule list, or a rule on a security policy. Service policies and timer policies are created separately, and then the timer policies are added to service policies.

Creating a timer policy

You create a timer policy containing timer rules to add to a service policy that can be applied to the global, self IP address, or route domain contexts.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Timer Policies.
  4. Click Create.
    The Timer Policies - New Item screen opens.
  5. In the Name field, type a name for the timer policy.
  6. In the Description field, type an optional description for the timer policy.
  7. If needed, change the default Common partition in the Partition field.
  8. To add timer rules, click the Timer Rules tab and click Create Timer Rule.
    A new rule is displayed with default name and values.
  9. Click the name of the new rule to enable editing for the rule fields.
  10. In the Name field, you may specify a more meaningful name than the default.
  11. From the Protocol list, select the protocol to be used. Select all-other as the protocol to have the rule apply to all other protocols not specified in another timer rule in the policy.
  12. From the Destination Ports list, specify the one or more ports to use, if necessary. The default is to use any port.
    • Select Port to specify an individual port: type the port in the field provided, and then click +. You can enter multiple individual ports, one at a time.

      Enter 0 as the port value to specify all other ports that have not been specified using Port or Port Range.

    • Select Port Range to specify a range of ports: type the beginning port in the first field, and the ending port of the range in the second field provided, and then click +. You can enter multiple ports ranges, one at a time.
    • Select All Other to specify all other ports that have not been specified using Port or Port Range.
  13. From the Idle Timeout list, select the timeout option for the selected protocol.
    • Select Specify to specify the timeout for this protocol, in seconds. Type the number of seconds in the field provided.
    • Select Immediate to immediately apply this timeout to the protocol.
    • Select Indefinite to specify that this protocol never times out.
    • Select Unspecified to specify no timeout for the protocol. When this is selected, the system uses the default timeout for the protocol.
  14. Save your changes in one of two ways:
    • Click Save to save the timer policy rule.
    • Click Save & Close to save the timer policy rule and return to the Timer Policies screen.
The timer policy is now configured and can be added to a service policy.
You now need to add the timer policy to a service policy, and apply the service policy to a global, self IP address, or route domain context. You can also add it to a firewall rule on a policy, or in a rule list.

Creating a service policy

You create a service policy to contain timer policies that can be applied to the global, self IP address, or route domain contexts. Service policies can also be added to a rule in a rule list or a rule on a security policy.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Service Policies.
  4. Click Create.
    The Service Policies - New Item screen opens.
  5. In the Name field type a name for the service policy.
  6. If needed, change the default Common partition in the Partition field.
  7. In the Description field, type an optional description for the service policy.
  8. Select a timer policy from those listed in the Timer Policy list.
    If no timer policy is listed, you need to create one and then assign it to the service policy.
  9. In the Pin Policy to Device(s) area, select the BIG-IP devices to be pinned to this policy, if needed. Pinning a BIG-IP device to a policy enables the policy to be deployed even if it is not associated with a firewall context for that device. You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.
    If you have a self IP context with a static (non-floating) IP address, you may be required to assign the device depending on you cluster deployment settings. For example, this property must be set for a peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ system. You may be directed to set this property as a result of an evaluation critical error.
  10. Save your changes in one of two ways:
    • Click Save to save the service policy.
    • Click Save & Close to save the service policy and return to the Service Policies screen.
The service policy is now defined and can be assigned to a global, self IP address, or route domain context. You can also add it to a rule in a rule list, or a rule on a security policy.

Applying a service policy to a firewall rule

You apply a service policy to a firewall rule to apply timers to traffic that is matched by the firewall rule. The rule can be associated with a rule list or with a firewall security policy.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor.
  4. Display the list of rules from a rule list or from a firewall security policy in the policy editor.
    Option Description
    If the rule is in a rule list: On the left, click Rule Lists, and then click the name of the rule list containing the rule. The rules are listed on the Rules tab.
    If the rule is associated with a policy: On the left, click Firewall Policies, and then click the name of the policy containing the rule. The rules are listed on the Rules & Rule Lists tab.
  5. To make it editable, click the name of the rule to which you want to add the service policy.
  6. Add the service policy to the rule.
    Option Description
    Add the service policy by typing. Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name.
    Add the service policy by drag and drop. In the Shared Resources area, select Service Policies, and then drag the service policy from that list and drop it into the Service Policy column for the rule.
  7. Save your changes in one of two ways:
    • Click Save to save your changes and still be able to edit.
    • Click Close to save your changes and stop editing.
The service policy and the contained timer policy are added to the rule.

Applying a service policy to a global context

You apply a service policy to a global firewall context to use a timer policy with that context.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click Global .
  4. Click the name of the global context to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then dragging one of the displayed service policies and dropping it onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes in one of two ways:
    • Click Save to save the global context.
    • Click Save & Close to save the global context and return to the Global page.
The service policy and timer policy are now associated with the global context.

Applying a service policy to a route domain context

You apply a service policy to a route domain firewall context in order to use a timer policy.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor and then Route Domain from the list on the left.
    If the Route Domain context is not displayed, click Contexts in the list to expand the list of contexts and display it.
  4. Click the name of the route domain to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then dragging one of the displayed service policies onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes in one of two ways:
    • Click Save to save the route domain context.
    • Click Save & Close to save the route domain context and return to the Route Domain page.
The service policy and timer policy are now associated with the route domain context.

Applying a service policy to a self IP address context

You apply a service policy to a self IP address firewall context so you can use a timer policy.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Self IP.
  4. Click the name of the self IP address to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then drag one of the displayed service policies and drop it onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes in one of two ways:
    • Click Save to save the self IP address context.
    • Click Save & Close to save the self IP address context and return to the Self IP screen.
The service policy and timer policy are now associated with the self IP address context.

Deleting a timer policy

You can delete obsolete timer policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Timer Policies.
  4. Select the check box to the left of any timer policy that you want to remove.
  5. Click Delete.
  6. Confirm that you want to remove the timer policy by clicking Delete in the confirmation dialog box.
The system removes the selected timer policies.

Deleting a service policy

You should delete service policies that are no longer used to simplify your view.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Service Policies.
  4. Select the check box to the left of any service policy you want to remove.
  5. Click Delete.
  6. Confirm that you want to remove the service policy by clicking Delete in the confirmation dialog box.
The system removes the selected service policies.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information