F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Network Security Administration
  5. Managing Firewall Policies
Manual Chapter : Managing Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About managing policies in BIG-IQ Security

A policy is a set of rules and/or rule lists. BIG-IP network firewalls use policies to specify traffic-handling actions and to define the parameters for filtering network traffic. You can assign inline rules, rule lists, or a policy to a firewall. Use policies to facilitate assigning a common collection of rules consistently across multiple firewalls.

The network software compares IP packets to the criteria specified in policies. If a packet matches the criteria, then the system takes the action specified by the policy. If a packet does not match any rule in the policy, the software accepts the packet or passes it to the next policy, rule, or rule list.

In BIG-IQ Security, the Policies panel displays the policies available for assignment to firewalls.

You can configure policies as enforced or staged:

  • An enforced policy refers to a policy whose actions are executed. Actions include: accept, accept decisively, drop, and reject.

    You are restricted to assigning a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that firewall.

  • A staged policy refers to a policy that is evaluated but policy actions are not enforced. All activity is logged.

    You are restricted to assigning a single, staged policy on any specific firewall. You can have inline rules and rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have inline rules/rule lists in the staged area.

Thus, you can stage a policy first and then examine logs to determine how the policy has affected traffic. Then, you can determine the timing for turning the policy from staged to enforced.

Policies can contain any combination of rules and rule lists. Policies cannot contain other policies. You can re-order rules within a policy.

Note: The BIG-IQ Security system is aware of functionality implemented in one BIG-IP version but not in another. In terms of policies, this means that you are prohibited from dropping a policy onto a firewall on a BIG-IP device that does not have the software version required to support it.

Adding policies

From the Policies panel, you can add policies.

  1. Navigate to the Policies panel.
  2. Hover in the Policies banner and click the + icon to display the New Policy panel. The Properties tab, as well as the Rules & Rule Lists tab are also visible.
  3. On the Properties tab, edit the fields as required. All boxes outlined in gold are required fields.
    Option Description
    Name User-provided name for the policy. This field is read-only when editing a policy.
    Description Optional description for the policy.
    Partition Although pre-populated with Common (default), you can set the partition when creating or cloning policies by entering a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name.
  4. On the Rules & Rule Lists tab, click Create Rule or Add Rule List.
  5. When finished, click Add.
A new policy is added to the Policies panel in the correct order alphabetically.

You can drag-and-drop a policy to add it to a firewall. To configure the same policy consistently across many firewalls, drag-and-drop the policy to multiple firewalls.

Managing policy properties

From the Policies panel, you can manage policies (edit policies, create/edit rules, and add rule lists). You can also reorder rules in policies. You cannot edit rule lists or reorder rules within rule lists from this panel.

  1. Navigate to the Policies panel.
  2. Hover in the policy banner and click the gear icon to display the Properties tab. (The Rules & Rule Lists tab is also visible.)
  3. On the Properties tab, view or edit the properties as required.
    Option Description
    Name User-provided name for the policy. The text field accepts up to 128 characters. This field is read-only when editing a policy.
    Description Optional. Description for the policy. The text field accepts up to 128 characters.
    Partition Read-only field displaying the name of the partition associated with the policy.
  4. When finished, click Add or Save as appropriate.
A new or saved policy is added to the Policies panel in the correct order alphabetically.

You can then drag-and-drop a policy to add it to a firewall. To configure the same policy consistently across many firewalls, drag-and-drop the policy to multiple firewalls.

Cloning policies

Cloning enables you to quickly and easily create policies tailored to address any unique aspects of your network firewall environment. When you clone a policy, you create an exact copy of the policy which you can then edit to address any special considerations.

Users with the roles of Firewall_View or Firewall_Deploy cannot clone policies.

  1. Navigate to the Policies panel.
  2. Hover over the name of the policy that you want to clone and when the gear icon appears, click it to display the expanded panel.
  3. Click Clone.
  4. In the Properties tab, edit the fields as required. Click Tab to advance from field to field.
    Option Description
    Name Enter a unique name for the cloned policy. The clone cannot have the same name as the source policy unless the partition name is changed.
    Description Enter an optional description.
    Partition Although pre-populated with Common (default), you can set the partition when creating or cloning policies by entering a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name.
  5. In the Rules & Rule Lists tab, edit the fields as required to configure the clone. You can also click Create Rule to add a new rule. Or, click Add Rule List. From the popup displayed, select a rule list and click Add.
  6. When finished, click Add. Any changes made are preserved. If you click Cancel, the policy is not cloned.
The cloned policy appears in the Policies panel.

Managing policy rules and rule lists

From the Policies panel, you can create rules and add rule lists. You can also reorder rules in policies. You cannot edit rule lists or reorder rules inside rule lists.

Note: From the Firewalls panel, you can add and remove but not edit policies.
  1. Navigate to the Policies panel.
  2. Hover in the banner for the specific policy you want to edit and click the gear icon.
  3. If necessary, click the Rules & Rule Lists tab.
  4. On the Rules & Rule Lists tab, click Create Rule or Add Rule List.
  5. When finished, click Save.
The saved policy is added to the Policies panel in the correct order alphabetically.

You can then drag-and-drop a policy to add it to a firewall. To configure the same policy consistently across many firewalls, drag-and-drop the policy to multiple firewalls.

Removing policies

From the Policies panel, you can remove policies.

If a policy is in use or if any shared objects inside that policy are in use, you cannot remove it.

To see where a policy is used, click the policy and the name appears in the filter field. Then, click Apply. The GUI filters on that policy name and displays only the instances where the policy is used.

  1. Navigate to the Policies panel.
  2. Hover in the header of the policy you want to remove and click the gear icon.
  3. In the banner, click Remove.
  4. To permanently remove this policy from the BIG-IQ system, click Remove in the confirmation popup screen.
The policy is permanently removed.

About policy management using snapshots

It is possible to introduce errors during the editing of the firewall working-configuration set. In some cases, you might not detect these errors immediately. When you discover these errors, you will probably want to roll back to a previous state as quickly as possible to restore service. Then, you can triage to discover the root causes of any errors.

In one scenario, you might perform multiple emergency deployments in an attempt to fix a problem. If such attempts did not fix the issue, you might want to roll back to the most stable state prior to where you first saw the problem.

In another scenario, you might want to roll back after importing a device. For example, an administrator might import a device and as part of the import process, decide to overwrite the firewall-shared objects stored in the BIG-IQ database. Subsequently, the administrator decides that the import was a mistake and wants to roll back to the state of the shared objects before the import.

You can address all of these scenarios by restoring from a snapshot.

The BIG-IQ system provides the ability to create snapshots in these ways:

  • During discovery, BIG-IQ Security takes a snapshot of the working-configuration set on the device. This is the default behavior (retain the check box selection).
  • During a reimport, you can take a snapshot of the working-configuration set on the device before the reimport. This is the default behavior (retain the check box selection).
  • During deployment, BIG-IQ Security takes a snapshot when you click Evaluate.
  • At any time, you can create a user-defined snapshot from the Add Snapshot panel.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information