Manual Chapter : Managing Rules and Rule Lists

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter

About rules and rule lists

Rule lists are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.

With BIG-IQ Network Security, you can manage rules and rule lists from the Rule Lists option (Policy Editor > Rule Lists). You can also create rules and add rule lists from the Contexts and the Polices options. You can import and manage rules (and/or rule lists) from BIG-IP devices. Furthermore, you can define rules and rule lists within BIG-IQ Network Security, and then deploy back to the BIG-IP device.

You can define a list of rules for a specific firewall and/or refer to one or more shared rule lists by name from other firewalls.

Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.

A packet must pass all tests to match successfully. For example, to match against a source subnet and several destination ports, a packet must originate from the given subnet and also have one of the specified destination ports.

Rules and rule lists can be applied to all firewall types, such as:

  • Global
  • Route domain
  • Virtual server
  • Self IP
  • Management IP (rules only, no iRule or geolocation support)

Filtering rule lists

To filter the system interface to display only those objects related to a selected rule list, hover over the rule list name, right-click and then click Filter 'related to'. The interface is filtered and a count appears to the right of each object type. The frame to the right provides its own filter field where you can enter text and click on the filter icon to constrain the display to those items that match the filter.

Creating rules

To support a context or policy, you can create specific rules, gather those rules in a rule list, and assign the rule list to the context or policy.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Select the object that you want to add the rule to:
    Option Description
    Rule list In the left pane, hover over Rule Lists and click the + icon to display the New Rule List frame, which provides access to Properties and Rules options.
    Context In the left pane, expand Contexts and click the name of the specific firewall context to gain access to Properties, Enforced, and Staged options.
    Policy In the left pane, hover over Policies, and click the + icon to display New Policy frame, which provides access to Properties and Rules & Rule Lists options.
  4. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  5. Click Rules or Enforced, and then click Create Rule. A new row appears in the table. The row contains a rule template, including defaults, for the new rule.
  6. Complete the fields as appropriate. You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing add rule before or add rule after.
  7. When you are finished, click Add or Save, as appropriate.

Reordering rules in rule lists

You can optimize your network security firewall policy by reordering rules in rule lists.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Expand Rule Lists and click the specific rule list you want to edit.
  4. Click the Rules tab to ensure it is selected.
  5. Click Edit to lock for editing.
  6. Drag-and-drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, drag-and-drop will not work. Instead, copy the rule by right-clicking and selecting Copy rule. Then, navigate to the new location for the rule, right-click, and select Paste rule before or Paste rule after as appropriate. After the copy, delete the rule that you copied.
  7. When you are finished, click Save and Close to save your edits, clear the lock, and exit the panel.

Removing rules

You can remove specific rules from rule lists, firewalls, or policies, to fine tune security policies.
Note: You can remove a rule even if it is the only rule in the rule list.
  1. You remove a rule based on the object that you remove it from:
    Option Description
    From a rule list In the left pane, expand Rules Lists and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to Propertiesand Rules options.
    From a firewall context In the left pane, expand Contexts, click the name of the context containing the rule that you want to delete.This opens the Properties frame and provides access to Properties, Enforced and Staged options. Then, select Enforced or Staged as appropriate.
    From a policy In the left pane, expand Policies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to Properties and Rules & Rule Lists options. Select Rules & Rule Lists.
  2. Click Edit to lock for editing.
  3. Hover over the row containing the rule, and right-click.
  4. Select Delete Rule and confirm the deletion.
  5. Click Save to save your changes.

Adding rule lists

To support a specific firewall or policy, you can create a rule list and then assign it to the firewall context or policy.
  1. Click Object Editor.
  2. Select the object that you want to add the rule list to:
    Option Description
    Rule list In the left pane, hover over Rule Lists and click the + icon to display the New Rule List frame, which provides access to Properties and Rules options.
    Context In the left pane, expand Contexts and click the name of the specific firewall context to gain access to Properties, Enforced, and Staged options.
    Policy In the left pane, hover over Policies, and click the + icon to display New Policy frame, which provides access to Properties and Rules & Rule Lists options.
  3. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  4. Continue with the configuration:
    Option Description
    New Rule List screen Click Rules, and click Create Rule.
    Firewall context Click Enforced, and click Edit to lock the firewall for editing. Then, click Add Rule List and select from the rule lists that appear in the popup dialog.
    Policy Click Rules & Rule Lists, then click Add Rule List.
  5. Complete the fields as appropriate. You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing add rule before or add rule after.
  6. When you are finished, click Add or Save, as appropriate.
  7. If you are editing a firewall context to add the rule list, you must, when finished, click Save and Close to save your edits, clear the lock, and exit the panel.
The new rule list appears at the bottom of the Rule Lists panel.

Editing rule lists

You can edit the content of rule lists from Policy Editor Rule Lists, including the order of rules in rule lists.
Note: You must lock a rule list before editing it.
  1. Log in to BIG-IQ Network Security.
  2. Click Policy Editor.
  3. Expand Rule Lists and click the specific rule list you want to edit.
  4. Click Edit to lock for editing.
  5. Click Properties.
    Option Description
    Name Informational, read-only field set when creating or cloning the rule list.
    Description Optional description.
    Partition Informational, read-only field set when creating or cloning the rule list.
  6. Select Rules , and click the row of the rule you want to edit.
  7. Complete the fields as appropriate. You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing add rule before or add rule after.
  8. Complete fields as appropriate. To reorder rules, simply drag-and-drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, drag-and-drop will not work. Instead, copy the rule by right-clicking and selecting Copy rule. Then, navigate to the new location for the rule, right-click, and select Paste rule before or Paste rule after as appropriate. After the copy, delete the rule that you copied.
  9. Click Save to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.

Clearing fields in rules

You can clear the text from fields in rules to fine tune them and, in turn, rule lists and security policies.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Expand Rule Lists and click the name of a rule list that you want to edit.
  4. Click Edit to lock for editing.
  5. Click the Rules tab to ensure it is selected.
  6. Locate the rule containing the fields whose contents you want to remove.
  7. Not all fields can be cleared, but you can remove the contents of these fields as follows:
    Option Description
    Address (source or destination) Hover over the text in the field. Right-click and select Remove item.
    Port (source or destination) Hover over the text in the field. Right-click and select Remove item.
    VLAN Hover over the text in the field. Right-click and select Remove item.
    iRule Hover over the text in the field. Right-click and select Remove item.
    Description Hover over the text in the field. Right-click and select Remove item.
  8. Click Save to save your changes.
  9. When you are finished, click Save and Close to save your edits, clear the lock, and exit the panel.

Cloning rule lists

Cloning enables you to create and customize rule lists to address unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list, which you can then edit to address any special considerations.
Note: Users with the roles of Network_Security_View or Network_Security_Deploy cannot clone policies.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. Expand Rule Lists and click the specific rule list you want to clone.
  4. Click Clone.
  5. Click Properties and complete the properties fields as required.
    Option Description
    Name Unique name. The field is read-only field unless creating or cloning the rule list.
    Description Optional description.
    Partition Although pre-populated with Common (default), you can set the partition name by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  6. Click Rules, edit the rules as required to configure the clone. You can also click Create Rule to add a new rule.
  7. When you are finished, click Add. If you click Cancel, the rule list is not cloned.
The cloned rule list is added alphabetically under Rule Lists. In a high-availability configuration, the cloned rule list is replicated on the standby system as soon as it is cloned.

Removing rule lists

You can remove rule lists from firewalls or policies to fine tune security policies.
  1. Log in to BIG-IQ Network Security.
  2. Click Object Editor.
  3. In the left pane, expand Rule Lists, and click the list that you want to remove.
  4. At the top of the screen, click Remove.
  5. If it is safe to remove the rule list, a confirmation dialog box opens; click Remove to confirm. If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. Click Close to acknowledge this message, and then click Cancel in the Remove popup screen. To see where a rule list is used, click the rule list and the name appears in the search field. Then click Apply. The system interface displays only those objects related to the search. To clear the search, click the x icon to the right of the search string.
The system removes the rule list from the Rule Lists listing.

Rule properties

The following table lists and describes the properties required when configuring network firewall rules.

Property Description
Name Unique, user-provided name for the rule. If the name is a rule list name, it is preceded by: referenceTo_ when moved to a firewall or policy. For example: referenceTo_sys_self_allow_all.
Address (Source) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.
From the list, select:
  • Address. Enter the address in the Addresses field. You can also type an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
  • Address range. Type the beginning address in the first Addresses field and the ending address in the second Addresses field.
  • Address list. In the Addresses field, type text to display stored address lists. You can select any of the address lists displayed.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Options are provided to add additional addresses, address ranges, address lists, or countries/regions (+) and to delete addresses, address ranges, address lists, or countries/regions (X). When you are finished, click Save or Add.
Port Ports, port ranges, or port lists. From the list, select:
  • Port. Type the port in the Ports field. You can also enter a port range in the port field by typing a range in the format: n-n. For example: 43-44.
  • Port range. Type the beginning port in the first Ports field and the ending port in the second Ports field.
  • Port list. In the Ports field, type text to display stored port lists. You can select any of the port lists displayed.
Options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X). When you are finished, click Save or Add.
VLAN Name of the VLAN physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external. When finished, click Save or Add.
Address (Destination) There are many ways to construct an IPv4 or IPv6 address, address range, or address list. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet is as follows: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example, 12.2.0.0%44/16.
From the list, select:
  • Address. Type the address in the Addresses field. You can also enter an address range in the Addresses field using the format: n.n.n.n-n.n.n.n. For example: 1.1.1.1-2.2.2.2.
  • Address range. Type the beginning address in the first Addresses field, and the ending address in the second Addresses field.
  • Address list. In the Addresses field, type text to display stored address lists. You can select any of the address lists displayed.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Options are provided to add additional addresses, address ranges, address lists, or countries/regions (+) and to delete addresses, address ranges, address lists, or countries/regions (X). When you are finished, click Save or Add.
Port Ports, port ranges, or port lists. From the list, select:
  • Port. Type the port in the Ports field. You can also enter a port range in the port field by typing a range in the format: n-n. For example: 43-44.
  • Port range. Type the beginning port in the first Ports field and the ending port in the second Ports field.
  • Port list. In the Ports field, type text to display stored port lists. You can select any of the port lists displayed.
Options are provided to add additional ports, port ranges, or port lists (+) and to delete ports, port ranges, or port lists (X). When you are finished, click Save or Add.
Action Click in the column and select one of the following:
  • Accept. Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  • Accept decisively. Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
  • Drop. Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • Reject. Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
When you are finished, click Save or Add.
iRule Click in the column and enter the iRule name, including partition. For example: /Common/_sys_AXX_Support_OA_BasicAuth. iRules use syntax based on the industry-standard Tools Command Language (Tcl). For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules. For more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html. Note that iRules are not supported on the management IP context.
Description Optional description for the current rule. To add a description, click in the column, type text, and click Save or Add.
Protocol IP protocol to compare against the packet. Select the appropriate protocol from the list and click Save or Add. If you select ICMP, IPv6-ICMP, or Other, a popup dialog box opens where you can specify Type and Code combinations. The default type is Any and the default code is Any.
Note: The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com or the documentation for the specific BIG-IP platform.
State Click in the column and select an option from the list to specify whether the rule is enabled, disabled, or scheduled. The field is updated. Click Save or Add when you are ready to save your changes. If you select scheduled from the list, the Select Schedule list is displayed in the screen. Select a schedule and click OK. If you have assigned a schedule, then a gear icon appears to the right of the State setting in the State column. To make changes to the State setting, click the gear icon to open the Select Schedule popup screen. If you have no pre-defined schedules, you cannot assign the scheduled state to the rule.
Log Click in the column and select an option from the list to specify whether or not the firewall software should write a log entry for any packets that match this rule. From the list, select true (log an entry) or false (do not log an entry). When finished, click Save or Add. For you to set or edit this setting, the discovered device must be at version 11.3 HF6 or later. The setting is not editable earlier than version 11.3 HF6. When a new rule is added to a firewall through the BIG-IQ Network Security system interface, editing is enabled for the Log setting even for devices with versions earlier than 11.3 HF6.