F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Security: Administration
  5. Managing Objects
Manual Chapter : Managing Objects

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About objects in BIG-IQ Network Security

In BIG-IQ Network Security, the objects that you can view and manage include:

Contexts (firewall)
Category of object to which a rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management. Within each context, rules can be viewed and reorganized separately. It is possible to have multiple layers of firewalls on a single BIG-IP device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP.
Policies (firewall)
Set of rules and/or rule lists that specify traffic-handling actions and define the parameters for filtering network traffic. You can assign inline rules, rule lists, or a policy to a firewall. Policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.
Rule lists
Containers for rules; rules are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list.
Address lists
Collections of IPv4 or IPv6 addresses, address ranges, and subnets. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses or address ranges in a given address list to either the source or the destination IP address, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Port lists
Collections of ports and port ranges. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. As with address lists, firewall rules compare all ports and port ranges in a given port list to either the source or the destination port, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Schedules
Schedules are assigned to firewall rules, rule lists, and policies to control when rules, rule lists, and policies are active on the firewall. In the Shared Objects panel, you can hover over schedule names to see the name displayed in a tooltip. This feature is useful if the schedule name is longer than the panel.

About the policy editor in BIG-IQ Network Security

BIG-IQ Network Security provides users with an editor that enables the ability to respond rapidly to firewall configuration change requests. The Policy Editor optimizes the use of screen real estate for firewall rule editing workflows. Information is presented on the screen so that relevant objects are more readily available for rule editing workflows.

Adding new objects

Hover over the header of the object you want to add (Policies, Rule Lists, Address Lists, Port Lists, or Schedules) and when the + icon appears, click it to open a frame for adding the object.

Viewing and editing objects

To view and/or edit objects:

  1. Click the object type to expand it and display the list of individual objects.
  2. Click the name of the object you want to view or edit. The object details are then displayed in the frame to the right. Help for that object type is then available by clicking the ? in the upper right corner. The help includes instructions for cloning, editing, and removing the object.

Filtering in the Objects panel

You can filter the contents of panels within the Policy Editor frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. In the filter text field (under Objects), type the text you want to filter on and press Enter.

    Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON.

    You can clear the filter field by clicking the X to the right of the text under the filter field.

Objects are filtered on the text entered and a count for each appears to the right of each object type.

Adding objects

BIG-IQ Network Security enables you to add objects. Policy Editor > Contexts/Policies/Rule Lists/Address Lists/Port Lists/Schedules
Note: Address lists and port lists are containers and must contain at least one entry. You cannot create an empty list; you cannot remove an entry in a list if it is the only entry.
  1. Hover over the object type that you want to add and click the + icon.
  2. In the opened screen, populate the property fields as required.
    • All fields that are outlined in gold are required.
    • The Partition field is outlined in gold, and although it is pre-populated with Common, it is an editable field.
    • You can press Tab to advance from field to field.
  3. When you are finished, click Add.

Editing objects

BIG-IQ Network Security enables you to select objects for deeper inspection or edit.
Note: Address lists and port lists are containers, and must contain at least one entry. You cannot create an empty list; you cannot remove an entry in a list if it is the only entry.
  1. Navigate to the object you want to edit. Object Editor > Contexts/Policies/Rule Lists/Address Lists/Port Lists/Schedules
  2. Click the object that you want to edit.
  3. In the resulting screen, click Edit to lock the object.
  4. Edit the properties and other areas as required. You can use the keyboard Tab to advance from field to field.
  5. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

Filtering the Policy Editor frame

You can filter the contents of panels within the Policy Editor frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. To filter the contents of the Policy Editor frame, log in to BIG-IQ Security.
  2. Navigate to Network Security > Policy Editor.
  3. In the filter text field, type the text you want to filter on and press Return. Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON. You can clear the filter field by clicking the X to the right of the filter field.
Objects are filtered on the text entered and a count for each appears to the right of each object type.

Adding objects to firewall contexts and rules

BIG-IQ Network Security enables you to add objects to firewall contexts and rules (used in rule lists and policies).
  1. Navigate to the context or rule to which you want to add an object. Object Editor > Contexts/Rule Lists
  2. Click Edit to lock the object for editing.
    • If you are editing a firewall, be sure to select Enforced so that Enforced Firewall Rules are visible.
    • If you are editing a rule or rule list, be sure to select Rules.
  3. Click the section name to expand the section so the name of the object is visible.
  4. Select the object you want to add, and drag it onto the firewall or rule in the appropriate column. If you are adding a schedule, drag it onto the State column.
  5. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

About the toolbox in BIG-IQ Network Security

BIG-IQ Network Security provides users with a toolbox that can be used to quickly add objects. The toolbox is located in the bottom half of the Policy Editor frame.

Adding new objects

To add an object quickly, select the object type from the dropdown list and click Add. Fill in the properties that appear in the popup box and click Add.

Filtering in the toolbox

You can filter the contents of panels within the Policy Editor frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. In the filter text field, type the text you want to filter on and click the filter icon.

    Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON.

    You can clear the filter field by clicking the red X to the left of the filter field.

Filtering the Policy Editor toolbox frame

You can filter the contents of the toolbox (the bottom frame within the Policy Editor frame) to reduce the set of objects visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. To filter the contents of the toolbox, log in to BIG-IQ Security.
  2. Navigate to Network Security > Policy Editor > Toolbox at the bottom of the right frame. The filter appears to the right of the Show dropdown list.
  3. In the filter text field, type the text you want to filter on and click the filter icon. Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON. You can clear the filter by clicking the X to the left of the filter field.

Renaming objects

BIG-IQ Network Security does not support renaming an object.

As an alternative to renaming it, you can create a new object and replace the original object where it is in use.

  1. Create the new object. Consider cloning the object as the fastest and most reliable way to create a new object with the same content as the original but a new name.
  2. Locate every instance of the original object by hovering over the object, right-clicking, and selecting Filter Related To. A count is added, indicating the number of times the object is used.
  3. Navigate to each instance where the original object is in use, and replace it with a reference to the newly-created object.
  4. Remove the original object. Clear the filter by clicking the X at the top of the panel under the filter entry box.
    Note: Note that you cannot remove an object that is still in use.

Cloning objects

BIG-IQ Network Security enables you to clone objects to create an object that is slightly different from the original. You may have an object that serves as a template. You can clone that object, edit it, and then use it in different contexts.
  1. Navigate to the type of object you want to clone. Object Editor > Contexts/Policies/Rule Lists/Address Lists/Port Lists/Schedules
  2. Click the object that you want to clone.
  3. In the expanded screen, click Clone. The system displays a copy of the object with blank Name and Description fields.
  4. In the opened screen, populate the property fields as required.
    • All fields that are outlined in gold are required.
    • The Partition field is outlined in gold, and although it is pre-populated with Common, it is an editable field.
    • You can press Tab to advance from field to field.
  5. When you are finished, click Add.
The cloned object is added to the existing list in the appropriate section.

Removing objects

From the BIG-IQ Network Security Shared Objects expanded panels, you can remove shared objects.
  1. Navigate to the object you want to remove, hover over it, and then click the gear icon.
  2. In the object property screen, click Remove. A popup information screen opens.
  3. Respond to the popup screen prompt:
    • If the object is being used by another object, policy, rule, or rule list, you cannot remove objects that are in use; click OK to acknowledge this message.
    • If the object can be removed, click OK to confirm the removal.

About address lists

Address lists are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, or subnets saved on a server and available for use in firewall rules, rule lists, and policies.

Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Where address lists are visible in the screens for Firewall Contexts, Policies, and Rule Lists, you can hover over nested address lists to see the first-level content displayed in a tooltip. The content (addresses, ranges, and nested address lists) is displayed whether or not the address list is locked for editing.

If a policy, rule list, or rule is locked for editing, you can right-click an address, address range, or address list in the locked object and remove that address, address range, or address list.

To view address list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting an address list inside an address list, check to be sure this option is supported on the BIG-IP device.

You can add geolocation awareness to address lists, which enables you to specify source or destination IP addresses by geographic location. Thus, you can specify firewall behavior for traffic to/from entire geographic regions by defining rules based on where the source or destination system is, rather than on its IP address (source or destination). BIG-IQ Network Security supports specifying geolocation in rules and address lists. The geolocation is validated when the rule or address list is saved.

Note: If you use a geolocation spec that is valid on the BIG-IQ Network Security system, but not supported on a particular BIG-IP device because the device has a different geolocation database, it causes a deployment failure for that device. Importing a BIG-IP device with an invalid geolocation spec causes a discovery failure for that device.

Adding address types to address lists

BIG-IQ Network Security enables you to add addresses, address ranges, nested address lists, or geolocation to an existing address list.
  1. Navigate to the Address Lists area. Object Editor > Address Lists
  2. Click Address Lists to expand the section, and then click the address list that you want to edit.
  3. In the resulting screen, click Edit to lock the object.
  4. Click the + icon to the right of an address. A new row is added to the Addresses table under that row.
  5. From the list under the Type column, select Address, Address Range, Address List, or Country/Region.
    • If you select Address List, in the Addresses field, type the first letter of an existing address list. A list of existing address lists appears from which you can select an address.
    • If you select Country/Region and then select a country from the second list, the next list automatically updates with all available regions for that country.
  6. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

Removing entries from address lists

BIG-IQ Network Security enables you to remove entries from address lists.
  1. Navigate to the Address Lists area. Object Editor > Address Lists
  2. Click Address Lists to expand the section, and then click the address list that you want to edit.
  3. In the resulting screen, click Edit to lock the object.
  4. Click the X icon to the right of the address, address range, address list, or geolocation spec that you want to remove.
  5. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

Address list properties and addresses

Property Description
Name Unique, user-provided name for the address list. The text field accepts up to and including 255 characters, including the partition name.
Description Optional description of the address list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning address lists.
Type After locking the address list for editing, select one of the following:
  • Address. Then, type the address in the Addresses field. You can also enter an address range in this field by typing a range in the format: n.n.n.n-n.n.n.n.
  • Address range. The Addresses field becomes two fields separated by "to." Type the beginning address and ending addresses in these fields as appropriate.
  • Address list. When you type the first letter of a saved list, the Addresses field populates with a picker list that displays saved address lists. You then select from the list.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Addresses IPv4 or IPv6 address, address range, or nested address list. There are many ways an IPv4 or IPv6 address or address range can be constructed. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10.
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329.
  • IPv6 abbreviated form is supported. You can shorten IPv6 addresses as defined in RFC 4291.
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. Example IPv6 subnet: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example: 12.2.0.0%44/16.
Description Optional text field used to describe the address, address range, or nested address list.

About port lists

Port lists are collections of ports, port ranges, or port lists saved on a server and available for use in firewall rules, rule lists, and policies.

Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.

Where port lists are visible in the screens for Firewall Contexts, Policies, and Rule Lists, you can hover over port lists to see the first-level content displayed in a tooltip. The content is displayed whether or not the port list is locked for editing.

If a policy, rule list, or rule is locked for editing, you can right-click a port, port range, or port list in the locked object and remove that port, port range, or port list.

To view port list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting a port list inside a port list, check to be sure this option is supported on your BIG-IP device.

Adding port types to port lists

BIG-IQ Network Security enables you to add ports, port ranges, or nested port lists to an existing address list.
  1. Navigate to the Port Lists area. Object Editor > Port Lists
  2. Click Port Lists to expand the section, and then click the port list that you want to edit.
  3. In the resulting screen, click Edit to lock the object.
  4. Click the + icon to the right of a port. A new row is added to the Ports table under that row.
  5. From the Type list, select Port, Port Range, or Port List. If you select Port List, and type the first letter of an existing port list in the Ports field, a list of existing port lists appears from which you can select a port list from the list.
  6. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

Removing entries from port lists

BIG-IQ Network Security enables you to remove entries from port lists.
  1. Navigate to the port list that you want to remove an entry from. Object Editor > Port Lists
  2. Click Port Lists to expand the section, and then click the port list that you want to edit.
  3. In the resulting screen, click Edit to lock the object.
  4. Click the X icon to the right of the port, port range, or port list that you want to remove.
  5. When you are finished, click Save to save your edits, or click Save and Close to save and release the lock.

Port list properties and ports

Property Description
Name Unique name used to identify the port list.
Description Optional description for the port list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning port lists.
Type After locking the port list for editing, select one of the following:
  • Port. Then, enter the port in the Ports field. You can also enter a port range in this field by entering a range in the format: n-n. Valid port numbers are 1-65535.
  • Port range. The Ports field becomes two fields separated by "to." Type the beginning port and ending port in these fields as appropriate.
  • Port list. When you type the first letter of a saved list, the Ports field is populated with a picker list that displays saved port lists. You then select from the list.
Ports Port, port range, or port list. Valid port numbers are 1-65535.
Description Optional text field used to describe the port, port range, or nested port list.

About schedules

Schedules are assigned to rules, rule lists, and policies to control when these shared objects are actively evaluated.

By default, all rules, rule lists, and policies are on a continuously active schedule. Schedules are continuously active if they are created without any scheduling specifics (such as the hour that the schedule starts). If you apply a schedule to a rule, rule list, or policy, you can reduce the time that the rule, rule list, or policy is active.

Schedule properties

Property Description
Name Unique name used to identify the schedule.
Description Optional description for the schedule.
Partition Informational, read-only field displaying the name of the partition associated with the schedule.
Date Range Click the first field to display a calendar popup screen and select a start date. Click the second field to display a calendar and select an end date. You can specify:
Start date and no end date
The equivalent on the BIG-IP system is After, which specifies that the schedule starts after the specified date and runs indefinitely. The schedule is activated starting on the selected date, and runs until you change the start date or delete the schedule. Click in the field to choose a start date from a popup calendar. You can specify a start time in the same popup screen.
End date and no start date
The equivalent on the BIG-IP system is Until, which specifies that the schedule starts immediately and runs until a specified end date. The schedule is immediately activated and not disabled until the end date is reached. Click in the field to choose an end date from a popup calendar. You can specify an end time in the same popup screen.
Both a start date and an end date
The equivalent on the BIG-IP system is Between, which specifies that the schedule starts on the specified date and runs until the specified end date. Click in the fields to choose the start and end dates from a popup calendar. You can specify start and end times in the same popup screen.
Neither a start date nor an end date
The equivalent on the BIG-IP system is Indefinite, which specifies that the schedule starts immediately and runs indefinitely. The schedule remains active until you change the date range or delete the schedule.
Note: Using the system interface and popup screens to specify the start and end dates and times is the preferred method. However, if you do specify dates manually, use the format: YYYY-MM-DD HH:MM:SS.
Time Span Time is specified in military time format: HH:MM. You can specify time manually or click in the fields and use the Choose Time popup screen.
  • Click the first time span field and use the sliders to specify a start time in the popup screen.
  • Click the second time span field and use the sliders to specify an end time in the popup screen.
If you leave these fields blank, the schedule runs all day, which is the default on the BIG-IQ Security system and on BIG-IP devices. (This option is explicitly called All Day on BIG-IP devices.)
Day Select check boxes for all days that apply. You must select at least one day per week.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information