Manual Chapter : Managing Firewall Policies in BIG-IQ Network Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.1.0
Manual Chapter

About firewall policies in BIG-IQ Network Security

A firewall policy is a set of rules and/or rule lists. BIG-IP® network firewalls use policies to specify traffic-handling actions and to define the parameters for filtering network traffic. You can assign rule lists, or a policy to a firewall. Policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.

The network software compares IP packets to the criteria specified in policies. If a packet matches the criteria, then the system takes the action specified by the policy. If a packet does not match any rule in the policy, the software accepts the packet or passes it to the next policy, rule, or rule list.

In BIG-IQ® Network Security, the Policies list displays the policies available for assignment to firewalls.

You can configure firewall policies as enforced or staged:

  • An enforced policy refers to a policy whose actions are executed. Actions include: accept, accept decisively, drop, and reject.

    You are restricted to assigning a single, enforced policy on any specific firewall.

  • A staged policy refers to a policy that is evaluated but policy actions are not enforced. All activity is logged.

    You are restricted to assigning a single, staged policy on any specific firewall. You can have rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have rule lists in the staged area.

You can stage a firewall policy first and then examine logs to determine how the policy has affected traffic. Then you can determine the timing for turning the policy from staged to enforced.

Firewall policies can contain any combination of rules and rule lists. Policies cannot contain other policies. You can re-order rules within a policy.

Note: The BIG-IQ® Network Security system is aware of functionality implemented in one BIG-IP version but not in another. In terms of firewall policies, this means that you are prohibited from dropping a policy onto a firewall on a BIG-IP device that does not have the software version required to support it.

Filtering policies

To filter the system interface to display only those objects related to a selected policy, hover over the policy name, right-click and then click Filter 'related to'. The interface is filtered and a count appears to the right of each object type. The frame to the right provides its own filter field where you can enter text and click on the filter icon to constrain the display to those items that match the filter.

Creating firewall policies

To fine tune your network firewalls, you can configure policies and assign them to firewalls using the Firewall Policies screen Rules & Rule Lists settings.
  1. Click Policy Editor.
  2. On the left, click Firewall Policies and click Create to open the Firewall Policies - New Item screen.
  3. Click Properties and complete the properties fields as required.
    All boxes outlined in gold are required fields.
    Option Description
    Name User-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.
    Description Optional description for the policy.
    Partition Although it is pre-populated with Common (default), you can set the partition when creating or cloning policies by typing a unique partition name.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name. No editing of the partition is allowed.
    Available Devices Select the BIG-IP device to use, if your firewall policy is referenced by a self-IP context with a static (non-floating) IP address. If your firewall policy is not referenced by a static self-IP context, this property should not be set.

    You may be directed to set this property as a result of an evaluation critical error issued after performing a configuration evaluation prior to deployment. This property must be set for the peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ system.

    You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.

  4. Click Rules & Rule Lists, and then click either:
    • Create Rule to create rules.
    • Add Rule List to add rule lists.
  5. Click Save to save the firewall policy, or click Save & Close to save the firewall policy and return to the Firewall Policies screen.
A new firewall policy is added.

Managing firewall policies

To fine tune your network firewalls, you can edit policies, create or edit rules, and add rule lists. You can also reorder rules in firewall policies. You cannot edit rule lists or reorder rules within rule lists.

  1. Click Policy Editor.
  2. On the left, click Firewall Policies to see the list of firewall policies.
  3. Click the name of the firewall policy to edit.
  4. Click Properties and review or change the properties fields as needed.
    All boxes outlined in gold are required fields.
    Option Description
    Name User-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.
    Description Optional description for the policy.
    Partition Although it is pre-populated with Common (default), you can set the partition when creating or cloning policies by typing a unique partition name.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name. No editing of the partition is allowed.
    Pin Policy to Device(s) Select the BIG-IP devices to be pinned to this policy, if needed. Pinning a BIG-IP device to a policy enables the policy to be deployed even if it is not associated with a firewall context for that device. If you have a self IP context with a static (non-floating) IP address, you may be required to assign the device depending on you cluster deployment settings. For example, this property must be set for a peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ system. You may be directed to set this property as a result of an evaluation critical error.

    You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.

  5. Click Rules & Rule Lists, and edit the existing rule list or click either:
    • Create Rule to add rules.
    • Add Rule List to add rule lists.
  6. Click Save to save your changes.
  7. When you are finished, click Save & Close to save your edits, and return to the Firewall Policies screen.
The edited firewall policy appears on the Firewall Policies screen.

Cloning firewall policies

Cloning creates an exact copy with a different name. It enables you to quickly and easily create firewall policies tailored to address any unique aspects of your network firewall environment. When you clone a firewall policy, you create an exact copy of the policy which you can then edit to address any special considerations.

Users with the roles of Network_Security_View or Network_Security_Deploy cannot clone policies.

  1. Click Policy Editor.
  2. On the left, click Firewall Policies to see the list of firewall policies.
  3. Select a firewall policy in the list using the check box on the left and click Clone to copy and modify an existing firewall policy.
  4. Click Properties and complete the properties fields as required.
    All boxes outlined in gold are required fields.
    Option Description
    Name User-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.
    Description Optional description for the policy.
    Partition Although it is pre-populated with Common (default), you can set the partition when creating or cloning policies by typing a unique partition name.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name. No editing of the partition is allowed.
    Available Devices Select the BIG-IP device to use, if your firewall policy is referenced by a self-IP context with a static (non-floating) IP address. If your firewall policy is not referenced by a static self-IP context, this property should not be set.

    You may be directed to set this property as a result of an evaluation critical error issued after performing a configuration evaluation prior to deployment. This property must be set for the peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ system.

    You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.

  5. Click Rules & Rule Lists, and then click either:
    • Create Rule to create rules.
    • Add Rule List to add rule lists.
  6. Click Save to save the firewall policy, or click Save & Close to save the firewall policy and return to the Firewall Policies page.
The cloned policy appears in the Firewall Policies screen. In an HA configuration, the cloned policy appears on the standby BIG-IQ® system as soon as it is saved.

Reordering rules in firewall policies

Using the Firewall Policies screen, you can reorder rules in firewall policies to optimize your network firewall policies. You cannot edit rule lists or reorder rules inside rule lists.
  1. Click Policy Editor.
  2. On the left, click Firewall Policies to see the list of firewall policies.
  3. Click the name of the firewall policy to edit.
  4. Click Rules & Rule Lists.
  5. To reorder rule lists or rules, simply drag-and-drop them until they are in the correct order.
    You can also right-click a rule name and select among the ordering options.
  6. Click Save to save your changes.
  7. When you are finished, click Save & Close to save your edits, and return to the Firewall Policies screen.

Deleting firewall policies

You can remove obsolete firewall policies to keep network firewalls up-to-date.

If a firewall policy is in use, you cannot remove it.

To see where a firewall policy is used, right click the firewall policy name and click Filter 'related to' . The BIG-IQ system displays a count of where the policy is used in the list to the left.

  1. Click Policy Editor.
  2. On the left, click Firewall Policies to see the list of firewall policies.
  3. Select the firewall policy to be deleted using the check box to the left of the firewall policy.
  4. Click Delete and then confirm the permanent removal in the popup dialog box.
The policy is deleted and no longer occurs in the list of firewall policies.

About managing firewall policies using snapshots

It is possible to introduce errors during the editing of the working-configuration set. In some cases, you might not detect these errors immediately. When you discover these errors, you might want to roll back to a previous state as quickly as possible to restore service. Then, you can triage to discover the root causes of any errors.

In one scenario, you might perform multiple emergency deployments in an attempt to fix a problem. If such attempts did not fix the issue, you might want to roll back to the most stable state prior to where you first saw the problem.

In another scenario, you might want to roll back after importing a device. For example, an administrator might import a device and as part of the import process, decide to overwrite the objects stored in the BIG-IQ® database. Subsequently, the administrator decides that the import was a mistake and wants to roll back to the state of the objects before the import.

You can address all of these scenarios by restoring from a snapshot.

The BIG-IQ system provides the ability to create snapshots in these ways:

  • During discovery, the BIG-IQ system takes a snapshot of the working-configuration set on the device.
  • During deployment, BIG-IQ Network Security takes a snapshot when you create an evaluation.
  • At any time, you can create a user-defined snapshot using the Snapshot and Restore - Network Security screen in Change Management.