Manual Chapter : About AFM Network Firewall Active Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

About AFM Network Firewall Active Rules

About Active AFM Network Firewall Rules

You can use the AFM Network Firewall Active Rules page to view deployed network firewall rule or rule list statistics. Before viewing the Active Rules page, you should be familiar with the following Context Filters:
Policy Type
Select
Enforced
to view enforced rules that apply to traffic traversing the AFM system. Select
Staged
to view staged rules, allowing you to view the rule's match statics, evaluating the rule's affect on traffic.
Context
Specifies which rule context appears in the active rules list. Select a context to apply it. The default is
Global
.
Global
list the rules that apply to all traffic traversing the firewall.
Route Domain
lists the rules that apply to a selected route domain only.
Virtual Server
lists the rules that apply to the selected virtual server only.
Self IP
lists the rules that apply to the selected self IP address of the BIG-IP device.
Management Port
lists the rules that apply to the BIG-IP device management port.
Once you choose a Context Filter, you can view the following rules statistics:
ID
The order of the network firewall rule.
Name
The name of the network firewall rule.
State
The state of the network firewall rule: Enabled, Disabled, Scheduled, Enabled (Redundant) or Enabled (Conflict)
Protocol
The protocol to which the rule applies.
Source
The packet source to which the rule applies.
Destination
The packet destination to which the rule applies.
Action
Specifies the following actions: Accept, Drop or Reject,
Logging
Specifies whether logging is enabled or disabled.
Count
The total number of time the rule has matched a packet.
Latest Match
Specifies the most recent match to the rule. Used to determine how often a rule is being used.

Viewing AFM Network Firewall Active Rules

You must have staged or enforced rules configured on your AFM Network Firewall system.
Use the AFM Network Firewall Active Rules page to view both enforced and staged active firewall rule statistics.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
  2. From the
    Policy Type
    list select either
    Enforced
    or
    Staged
    .
  3. From the
    Context
    list select one of the following contexts:
    • Management Port
    • Global
    • Route Domain
    • Virtual server
    • Self IP
    A second context list appears.
  4. From the second context list, select a specific rule or rule list object.
  5. View the statistics in the
    Active Rule List
    area.

About redundant, conflicting and stale rules

When you create rules on the network firewall, it is possible that a rule can either overlap or conflict with an existing rule.
Redundant rule
A firewall rule that completely overlaps with another rule, including the same firewall action. In the case of a redundant rule, the rule can be removed with no net change in packet processing.
Conflicting rule
A firewall rule that completely overlaps with another rule, but the rules have different firewall actions. A rule might be called conflicting even if the result of each rule is the same. For example, a rule that applies to a specific IP address is considered in conflict with another rule that applies to the same IP address, if one has an
Accept
action and the other has an action of
Accept Decisively
, even though the two rules accept packets.
Stale rule
A firewall rule that is infrequently or never used. A stale rule is one that has an extremely low or 0 hit count.
On a rule list page, redundant or conflicting rules are indicated in the
State
column with either
(Redundant)
or
(Conflicting)
.

Viewing and removing redundant and conflicting rules

You must have staged or enforced rules configured on your system that are redundant or conflicting.
View and remove redundant or conflicting rules to simplify your configuration and ensure that your system takes the correct actions on packets.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. From the
    Policy Type
    list, select whether you want to view
    Enforced
    or
    Staged
    policies.
    If you select to view
    Staged
    policies, you can not view management port rules, as they cannot be staged.
  3. View the firewall rule states in the
    State
    column.
    Each rule is listed as Enabled, Disabled, or Scheduled. In addition, a rule can have one of the following states. View and adjust rules with these states, if necessary.
    (Redundant)
    The rule is enabled, disabled, or scheduled, and redundant. All the functionality of this rule is provided by a previous rule or rules. Hover over the
    State
    column to see why the rule is considered redundant, and possible solutions. Typically you can disable or delete a redundant rule with no net effect on the system.
    (Conflicting)
    The rule is enabled, disabled, or scheduled, and conflicting. All the match criteria of this rule is covered by another rule or rules, but this rule has a different action. Hover over the
    State
    column to see why the rule is considered conflicting, and possible solutions. Typically you should disable or delete a conflicting rule. Because the rule criteria is matched prior to the conflicting rule, there it typically no net change in processing. Note that the
    Accept
    and
    Accept Decisively
    actions are treated as conflicting by the system.
    (Conflicting & Redundant)
    The rule is enabled, disabled, or scheduled, and conflicting or redundant with the actions of more than one other rule. Typically you should disable or delete a conflicting and redundant rule.
  4. Resolve conflicting or redundant rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.

Viewing and removing stale rules

You must have staged or enforced rules configured on your system, and the system must be processing traffic, to determine whether rules are hit.
View and remove infrequently used or unused rules to reduce firewall processing and simplify your rules, rule lists, and policies.
Before you remove a rule that is infrequently hit, or never hit, make sure that doing so will not create a security issue. A rule might be hit infrequently, but might still be a required part of your security stance for a specific or rare attack.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. From the
    Policy Type
    list, select whether you want to view
    Enforced
    or
    Staged
    policies.
    If you select to view
    Staged
    policies, you can not view management port rules, as they cannot be staged.
  3. View the rule hit count in the
    Count
    column.
    The rule hit count shows how many total times a rule hit has occurred. A very low number indicates that the rule is infrequently hit. A count of
    0
    indicates the rule has never been hit.
  4. View the latest match date in the
    Latest Match
    column.
    The latest match column lists the last time the rule was hit. An old date indicates that the rule has not been hit in a long time.
    Never
    indicates that the rule has never been hit.
  5. Resolve infrequently hit rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.