Manual Chapter : AFM Network Firewall Inline Rule Editor

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

AFM Network Firewall Inline Rule Editor

Using the inline firewall rule editor

The AFM Network Firewall inline rule editor provides an alternative way to create and edit rules within a policy, on a single page. The advantage to this type of rule editing is that it provides a simpler and more direct way to configure rules and policies, however, this method makes administration more difficult over time. F5 recommends creating and associating rule lists with your firewall policies. You can edit an inline rule for any context.
When using the inline rule editor, the information presented in a firewall rule is simplified to the following categories:
Name
You must specify a name for the rule. You can also specify an optional description.
State
You can enable, disable, or schedule a firewall rule. These states govern whether the rule takes an action, does not take an action, or takes an action only during specific days and times.
Protocol
Specify a protocol to which the firewall rule applies. By default, the rule is TCP.
For ICMP or ICMPv6 protocols, you can specify one or more ICMP types and codes.
Source
A rule can include any number of sources, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, fully qualified domain names, geographic locations, VLANs, address lists, ports, port ranges, port lists, subscribers, subscriber groups, and address lists.
Destination
A rule can include any number of destinations, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, FQDNs, geographic locations, VLANs, address lists, ports, port ranges, port lists, and address lists.
Actions
Specifies an action that applies when traffic matches the rule. The standard rule actions apply (Accept, Drop, Reject, and Accept Decisively). In addition, you can set the rule to start an iRule when the firewall rule matches traffic, and apply timeouts from a service policy to traffic that matches the rule.
Send to Virtual
Specifies a virtual server to which to send traffic that matches the rule. This option is not available for rules that are already at the virtual server context. Traffic that is sent to a virtual server is then evaluated by DDoS rules and firewall rules on that virtual server instead of according to the original rule. Staged rules are also evaluated based on the destination virtual server instead of the originating rule.
Protocol Inspection Profile
Specifies a protocol inspection profile to associate with the firewall rule. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
Classification Policy
Specifies a classification policy to associate with the firewall rule.
Logging
Specifies whether logging is enabled or disabled for the firewall rule.

Enabling the inline rule editor

Enable the inline rule editor to edit rules in place within policies.
You can either edit rules with the inline editor or with the standard editor, but not both. You can switch back to the standard rule editor at any time.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
    The Network Firewall screen opens to Firewall Options.
  2. Next to
    Inline Rule Editor
    , select
    Enabled
    .
  3. Click
    Update
    .
    The inline firewall rule editor is enabled.

Creating a rule with the inline editor

The Network Firewall Inline Rule Editor option must be enabled to create a rule with the inline rule editor. If you are going to specify address lists, port lists, custom iRules, virtual servers, or service policies to use with this rule, you must create these before you edit the firewall rule, or add them to the rule at a later time.
You edit a Network Firewall policy rule to change course, destination, actions, order, or other items in a firewall rule.
You cannot use the rules created in a policy to apply as inline rules in another context, although you can use rule lists in a policy rule.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click the name of the network firewall policy to which you want to add rules. If you want to create a policy, click
    Create
    , name the policy, and click
    Finished
    .
  3. Click
    Add Rule
    to add a firewall rule to the policy.
    A blank rule appears in the policy.
  4. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  5. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  6. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  7. In the Source field, you can define the following packet source matching criteria by typing it into the field labeled
    add new source
    :
    For named objects such as address lists, VLANs or geographic locations, the system will auto-complete the name of the object. For individual service port or IP address entries, the system will define them once entered.
    • IPv4 or IPv6 addresses, address range or name of an address list.
    • Fully Qualified Domain Name (FQDN)
    • Service port, port range or port list.
    • Geographic location
    • VLAN
    • Subscriber or Subscriber group ID
  8. Click
    Add
    .
  9. In the Destination field, you can define any of the following packet destination matching criteria by typing it into the field labeled
    add new source
    :
    For named objects such as address lists, VLANs or geographic locations, the system will auto-complete the name of the object. For individual service port or IP address entries, the system will define them once entered.
    • IPv4 or IPv6 addresses, address range or name of an address list.
    • Fully Qualified Domain Name (FQDN)
    • Service port, port range or port list.
    • Geographic location
    • VLAN
    • Subscriber or Subscriber group ID
  10. Click
    Add
    .
  11. From the
    Action
    list, select the firewall action to perform on matching traffic.
  12. Optional. Select an iRule to trigger when the firewall rule matches.
    iRule sampling (available when an iRule is selected) allows you to specify how frequently an iRule is triggered when the rule matches. For example, if the value 5 is entered, the iRule triggers every 5th match.
  13. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  14. Click
    Done Editing
    to add the firewall rule to the policy.
  15. Under
    ID
    , verify the new Rule is in the proper order.
    You can drag and drop Rules and Rule Lists to reorder them.
  16. Click
    Commit Changes to System
    at the top of the page.
The new firewall rule is created and displayed on the firewall policy screen.