Manual Chapter : Managing Rules and Rule Lists

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About rules and rule lists

Rule lists are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.

With BIG-IQ® Network Security, you can manage rules and rule lists from the Rule Lists option (Policy Editor > Rule Lists). You can also create rules and add rule lists from the Contexts and the Policies options. You can import and manage rules (and/or rule lists) from BIG-IP® devices. Furthermore, you can define rules and rule lists within BIG-IQ Network Security, and then deploy back to the BIG-IP device.

You can define a list of rules for a specific firewall and/or refer to one or more shared rule lists by name from other firewalls.

Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.

A packet must pass all tests to match successfully. For example, to match against a source subnet and several destination ports, a packet must originate from the given subnet and also have one of the specified destination ports.

Rules and rule lists can be applied to all firewall types, such as:

  • Global
  • Route domain
  • Virtual server
  • Self IP
  • Management IP (rules only, no iRule or geolocation support)

Enabling, disabling and scheduling rules and rule lists

Once a rule or a rule list is created, you can set the state of that rule or rule list to enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is enabled. Settings on a rule list take precedence over those on a rule. For example, if a rule has a state of enabled, but is contained within a rule list that has a state of disabled, the rule used in that rule list will be disabled. The process differs for setting the state of a rule and setting the state of a rule list.

  • To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
  • To set the state for a rule list, edit the rule list, and right click the rule list name and select Edit Rule List Reference. The state can now be set by choosing enabled, disabled or scheduled in the State column.

Filtering rule lists

To filter the system interface to display only those objects related to a selected rule list, hover over the rule list name, right-click and then click Filter 'related to'. The interface is filtered and a count appears to the right of each object type. The frame to the right provides its own filter field where you can enter text and click on the filter icon to constrain the display to those items that match the filter.

Creating rules

To support a context or policy, you can create specific rules, gather those rules in a rule list, and assign the rule list to the context or policy.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Select the object to which you want to add the rule:
    Option Description
    Rule list In the left pane, click Rule Lists to display the rule lists, then select the rule list to have the rule added.
    Context In the left pane, click Contexts to display the contexts, then select the context to have the rule added.
    Policy In the left pane, click Policies to display the firewall policies, then select the policy to have the rule added.
  4. Add the rule to the object:
    Option Description
    Rule list In the right pane, click Create Rule.
    Context In the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then click Create Rule.
    Policy In the right pane, click Create Rule.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  5. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing Add Rule before or Add Rule after.
  6. Click Save to save your changes.
  7. When you are finished, click Save & Close to save your edits, clear the lock, and exit the panel.

Reordering rules in rule lists

You can optimize your network security firewall policy by reordering rules in rule lists.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Rule Lists in the left pane and click the specific rule list you want to edit in the right pane.
  4. Click the Rules tab to ensure it is selected.
  5. Drag-and-drop the rules until they are in the correct order.
    If the list of rules expands beyond the editing frame, drag-and-drop will not work. Instead, copy the rule by right-clicking and selecting Copy Rule. Then, navigate to the new location for the rule, right-click, and select Paste Before or Paste After as appropriate. After the copy, delete the rule that you copied. You delete rules by right-clicking on a rule and selecting Delete Rule.
    Alternatively, you can reorder rules using the Cut Rule option. Right-click on the rule and select Cut Rule to select the rule for reordering, then move your cursor to the new position in the rule list, and select Paste Before or Paste After as appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.
  6. When you are finished, click Save & Close to save your edits, clear the lock, and exit the panel.

Removing rules

You can remove specific rules from rule lists, firewalls, or policies, to fine tune security policies.
Note: You can remove a rule even if it is the only rule in the rule list.
  1. You remove a rule based on the object that you remove it from:
    Option Description
    From a rule list In the left pane, expand Rules Lists and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to Properties and Rules options.
    From a firewall context In the left pane, expand Contexts, click the name of the context containing the rule that you want to delete.This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then click Rules & Rule Lists.
    From a policy In the left pane, expand Policies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to Properties and Rules & Rule Lists options. Select Rules & Rule Lists.
  2. Hover over the row containing the rule, and right-click.
  3. Select Delete rule and, if prompted, confirm the deletion.
  4. Click Save to save your changes.

Creating and adding rule lists

To support a specific firewall or policy, you can create a rule list and then assign it to the firewall context or policy.
  1. Click Policy Editor.
  2. Click Rule Lists in the navigation pane on the left.
  3. In the Rule Lists pane on the right, click Create.
  4. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  5. Click Rules and create or add rules to the rule list.
  6. Click Save to save your changes or Save & Close to save your changed and exit the screen.
  7. Select the object in the Policy Editor to which you want to add the rule list:
    Option Description
    Context Select Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.
    Policy Select Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
  8. Add the rule list to the selected object:
    Option Description
    Context Click the enforced or staged policy to which the rule list should be added, then click Add Rule List, select from the rule lists in the popup dialog, and click Select.
    Policy Click Rules & Rule Lists, then click Add Rule List , then select from the rule lists in the popup dialog, and click Select.
    You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing add rule before or add rule after.
  9. When you are finished, click Save or Save & Close, as appropriate.

Editing rule lists

You can edit the content of rule lists from Policy Editor Rule Lists, including the order of rules in rule lists.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Rule Lists in the left pane and click the specific rule list you want to edit in the right pane.
  4. Click Properties.
    Option Description
    Name Informational, read-only field set when creating or cloning the rule list.
    Description Optional description.
    Partition Informational, read-only field set when creating or cloning the rule list.
  5. Click Rules, and click the name of the rule you want to edit.
  6. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing Add Rule before or Add Rule after.
  7. Complete fields as appropriate.
    To reorder rules, simply drag-and-drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, drag-and-drop will not work. Instead, copy the rule by right-clicking and selecting Copy Rule. Then, navigate to the new location for the rule, right-click, and select Paste Before or Paste After as appropriate. After the copy, delete the rule that you copied.
  8. Click Save to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.

Clearing fields in rules

You can clear the text from fields in rules to fine tune them and, in turn, rule lists and security policies.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Expand Rule Lists and click the name of a rule list that you want to edit.
  4. Click the Rules tab to ensure it is selected.
  5. Click the name of the rule containing the fields whose contents you want to remove.
  6. Not all fields can be cleared, but you can remove the contents of these fields as follows:
    Option Description
    Address (source or destination) Click the X to the right of the field.
    Port (source or destination) Click the X to the right of the field.
    VLAN Click the X to the right of the field.
    iRule Click the X to the right of the field.
    Description Click the X to the right of the field.
  7. Click Save to save your changes.
  8. When you are finished, click Save & Close to save your edits, clear the lock, and exit the panel.

Cloning rule lists

Cloning enables you to create and customize rule lists to address unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list, which you can then edit to address any special considerations.
Note: Users with the roles of Network_Security_View or Network_Security_Deploy cannot clone policies.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Rule Lists to display the rule list you want to clone, and then click the checkbox to the left of that rule list.
  4. Click Clone.
  5. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  6. Click Rules, edit the rules as required to configure the clone.
    You can also click Create Rule to add a new rule.
  7. When you are finished, click Save.
    If you click Cancel, the rule list is not cloned.
The cloned rule list is added alphabetically under Rule Lists. In a high-availability configuration, the cloned rule list is replicated on the standby system as soon as it is cloned.

Removing rule lists

You can remove rule lists from firewalls or policies to fine tune security policies.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Rule Lists to display the rule list you want to remove, and then click the checkbox to the left of that rule list.
  4. At the top of the screen, click Delete.
  5. If it is safe to remove the rule list, a confirmation dialog box opens; click Delete to confirm.
    If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. Click Close to acknowledge this message, and then click Cancel in the Delete Rule Lists popup screen. To see where a rule list is used, right click on the rule list name and select Filter 'related to'. A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click the x icon to the right of the search string.

Rule properties

This table lists and describes the properties required when you are configuring network firewall rules.

Property Description
Name Unique, user-provided name for the rule. If the name is a rule list name, it is preceded by: referenceTo_ when moved to a firewall or policy. For example: referenceTo_sys_self_allow_all.
Address (Source) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.
From the list, select:
  • Address. Enter the address in the Addresses field. You can also type an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
  • Address range. Type the beginning address in the first Addresses field and the ending address in the second Addresses field.
  • Address list. In the Addresses field, type text to display stored address lists. You can select any of the address lists displayed.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Options are provided to add additional addresses, address ranges, address lists, or countries/regions (+) and to delete addresses, address ranges, address lists, or countries/regions (X). When you are finished, click Save or Add.
Port Ports, port ranges, or port lists. From the list, select:
  • Port. Type the port in the Ports field. You can also enter a port range in the port field by typing a range in the format: n-n. For example: 43-44.
  • Port range. Type the beginning port in the first Ports field and the ending port in the second Ports field.
  • Port list. In the Ports field, type text to display stored port lists. You can select any of the port lists displayed.
Options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X). When you are finished, click Save or Add.
VLAN Name of the VLAN physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external. When you are finished, click Save or Add.
Address (Destination) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.
From the list, select:
  • Address. Type the address in the Addresses field. You can also enter an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
  • Address range. Type the beginning address in the first Addresses field, and the ending address in the second Addresses field.
  • Address list. In the Addresses field, type text to display stored address lists. You can select any of the address lists displayed.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Options are provided to add additional addresses, address ranges, address lists, or countries/regions (+) and to delete addresses, address ranges, address lists, or countries/regions (X). When you are finished, click Save or Add.
Port Ports, port ranges, or port lists. From the list, select:
  • Port. Type the port in the Ports field. You can also enter a port range in the port field by typing a range in the format: n-n. For example: 43-44.
  • Port range. Type the beginning port in the first Ports field and the ending port in the second Ports field.
  • Port list. In the Ports field, type text to display stored port lists. You can select any of the port lists displayed.
Options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X). When you are finished, click Save or Add.
Action Click in the column and select one of the following:
  • Accept. Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  • Accept decisively. Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
  • Drop. Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • Reject. Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
When you are finished, click Save or Add.
iRule Click in the column and enter the iRule name, including partition. For example: /Common/_sys_AXX_Support_OA_BasicAuth. You can also set sampling rates on iRules® by supplying a number in the Sampling Rate field. iRules® use syntax based on the industry-standard Tools Command Language (Tcl). For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules. For more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html. Note that iRules are not supported on the management IP context.
Description Optional description for the current rule. To add a description, click in the column, type text, and click Save or Add.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the list and click Save or Add. If you select ICMP, IPv6-ICMP, or Other, a popup dialog box opens where you can specify Type and Code combinations. The default type is Any and the default code is Any.
Note: The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com or the documentation for the specific BIG-IP® platform.
State Click in the column and select an option from the list to specify whether the rule is enabled, disabled, or scheduled. The field is updated. Click Save or Add when you are ready to save your changes. If you select scheduled from the list, the Select Schedule list is displayed in the screen. Select a schedule and click OK. If you have assigned a schedule, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to open the Select Schedule popup screen. If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.
Log Click in the column and select an option from the list to specify whether or not the firewall software should write a log entry for any packets that match this rule. From the list, select true (log an entry) or false (do not log an entry). When your are finished, click Save or Add. For you to set or edit this setting, the discovered device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6. When a new rule is added to a firewall through the BIG-IQ® Network Security system interface, editing is enabled for the Log setting even for devices with versions earlier than 11.3 HF6.