A firewall policy is a set of rules and/or rule lists. BIG-IP network firewalls use policies to specify traffic-handling actions and to define the parameters for filtering network traffic. You can assign inline rules, rule lists, or a policy to a firewall. Policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.
The network software compares IP packets to the criteria specified in policies. If a packet matches the criteria, then the system takes the action specified by the policy. If a packet does not match any rule in the policy, the software accepts the packet or passes it to the next policy, rule, or rule list.
In BIG-IQ Network Security, the Policies list displays the policies available for assignment to firewalls.
You can configure firewall policies as enforced or staged:
You are restricted to assigning a single, enforced policy on any specific firewall. If you have an enforced policy on a firewall, you cannot also have inline rules and rule lists on that firewall.
You are restricted to assigning a single, staged policy on any specific firewall. You can have inline rules and rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have inline rules/rule lists in the staged area.
Thus, you can stage a firewall policy first and then examine logs to determine how the policy has affected traffic. Then you can determine the timing for turning the policy from staged to enforced.
Firewall policies can contain any combination of rules and rule lists. Policies cannot contain other policies. You can re-order rules within a policy.
To filter the system interface to display only those objects related to a selected policy, hover over the policy name, right-click and then click Filter 'related to'. The interface is filtered and a count appears to the right of each object type. The frame to the right provides its own filter field where you can enter text and click on the filter icon to constrain the display to those items that match the filter.
You can drag-and-drop a policy to add it to a firewall. To configure the same policy consistently across many firewalls, drag-and-drop the policy to multiple firewalls.
To fine tune your network firewalls, you can edit policies, create/edit rules, and add rule lists. You can also reorder rules in firewall policies. You cannot edit rule lists or reorder rules within rule lists.
You can then drag-and-drop a policy to add it to a firewall. To configure the same policy consistently across many firewalls, drag-and-drop the policy to multiple firewalls.
Users with the roles of Network_Security_View or Network_Security_Deploy cannot clone policies.
You can remove firewall policies to keep network firewalls up-to-date.
If a firewall policy is in use or if any objects inside that policy are in use, you cannot remove it.
To see where a policy is used, click the policy and the name appears in the Filter field. Then, click Apply. The system interface filters on that policy name and displays only the instances where the policy is used.
It is possible to introduce errors during the editing of the working-configuration set. In some cases, you might not detect these errors immediately. When you discover these errors, you might want to roll back to a previous state as quickly as possible to restore service. Then, you can triage to discover the root causes of any errors.
In one scenario, you might perform multiple emergency deployments in an attempt to fix a problem. If such attempts did not fix the issue, you might want to roll back to the most stable state prior to where you first saw the problem.
In another scenario, you might want to roll back after importing a device. For example, an administrator might import a device and as part of the import process, decide to overwrite the objects stored in the BIG-IQ database. Subsequently, the administrator decides that the import was a mistake and wants to roll back to the state of the objects before the import.
You can address all of these scenarios by restoring from a snapshot.
BIG-IQ Network Security provides the ability to create snapshots in these ways: