Manual Chapter :
AFM Network Firewall Inline Rule Editor
Applies To:
Show Versions
BIG-IP AFM
- 14.1.3, 14.1.2, 14.1.0
AFM Network Firewall Inline Rule Editor
Using
the inline firewall rule editor
The AFM Network Firewall inline rule editor provides an alternative way to create and edit rules within a
policy, on a single page. The advantage to this type of rule editing is that it provides a
simpler and more direct way to configure rules and policies, however, this method makes administration more difficult over time. F5 recommends creating and associating rule lists with your firewall policies. You can edit an inline
rule for any context.
When using the inline rule editor, the information presented in a firewall rule is simplified
to the following categories:
- Name
- You must specify a name for the rule. You can also specify an optional description.
- State
- You can enable, disable, or schedule a firewall rule. These states govern whether the rule takes an action, does not take an action, or takes an action only during specific days and times.
- Protocol
- Specify a protocol to which the firewall rule applies. By default, the rule is TCP.
- For ICMP or ICMPv6 protocols, you can specify one or more ICMP types and codes.
- Source
- A rule can include any number of sources, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, fully qualified domain names, geographic locations, VLANs, address lists, ports, port ranges, port lists, subscribers, subscriber groups, and address lists.
- Destination
- A rule can include any number of destinations, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, FQDNs, geographic locations, VLANs, address lists, ports, port ranges, port lists, and address lists.
- Actions
- Specifies an action that applies when traffic matches the rule. The standard rule actions apply (Accept, Drop, Reject, and Accept Decisively). In addition, you can set the rule to start an iRule when the firewall rule matches traffic, and apply timeouts from a service policy to traffic that matches the rule.
- Send to Virtual
- Specifies a virtual server to which to send traffic that matches the rule. This option is not available for rules that are already at the virtual server context. Traffic that is sent to a virtual server is then evaluated by DDoS rules and firewall rules on that virtual server instead of according to the original rule. Staged rules are also evaluated based on the destination virtual server instead of the originating rule.
- Protocol Inspection Profile
- Specifies a protocol inspection profile to associate with the firewall rule. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
- Classification Policy
- Specifies a classification policy to associate with the firewall rule.
- Logging
- Specifies whether logging is enabled or disabled for the firewall rule.
Enabling the inline rule editor
Enable the inline rule editor to edit rules in place within policies.
You can either edit rules with the inline editor or with the standard
editor, but not both. You can switch back to the standard rule editor at any
time.
- On the Main tab, click .The Network Firewall screen opens to Firewall Options.
- Next toInline Rule Editor, selectEnabled.
- ClickUpdate.The inline firewall rule editor is enabled.
Creating a rule with the inline editor
The Network Firewall Inline Rule
Editor option must be enabled to create a rule with the inline rule editor. If you are
going to specify address lists, port lists, custom iRules, virtual
servers, or service policies to use with this rule, you must create these before you
edit the firewall rule, or add them to the rule at a later time.
You edit a Network Firewall policy
rule to change course, destination, actions, order, or other items in a firewall rule.
You cannot use the rules
created in a policy to apply as inline rules in another context, although you can
use rule lists in a policy rule.
- On the Main tab, click .The Policies screen opens.
- Click the name of the network firewall policy to which you want to add rules. If you want to create a policy, clickCreate, name the policy, and clickFinished.
- ClickAdd Ruleto add a firewall rule to the policy.A blank rule appears in the policy.
- In theNameandDescriptionfields, type the name and an optional description.
- From theStatelist, select the rule state.
- SelectEnabledto apply the firewall rule to the given context and addresses.
- SelectDisabledto set the firewall rule to not apply at all.
- SelectScheduledto apply the firewall rule according to the selected schedule.
- From theProtocollist, select the protocol to which the firewall rule applies.
- SelectAnyto apply the firewall rule to any protocol.
- Select the protocol name to apply the rule to a single protocol.
ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with theglobalorroute domaincontext. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself. - In the Source field, you can define the following packet source matching criteria by typing it into the field labeledadd new source:For named objects such as address lists, VLANs or geographic locations, the system will auto-complete the name of the object. For individual service port or IP address entries, the system will define them once entered.
- IPv4 or IPv6 addresses, address range or name of an address list.
- Fully Qualified Domain Name (FQDN)
- Service port, port range or port list.
- Geographic location
- VLAN
- Subscriber or Subscriber group ID
- ClickAdd.
- In the Destination field, you can define any of the following packet destination matching criteria by typing it into the field labeledadd new source:For named objects such as address lists, VLANs or geographic locations, the system will auto-complete the name of the object. For individual service port or IP address entries, the system will define them once entered.
- IPv4 or IPv6 addresses, address range or name of an address list.
- Fully Qualified Domain Name (FQDN)
- Service port, port range or port list.
- Geographic location
- VLAN
- Subscriber or Subscriber group ID
- ClickAdd.
- From theActionlist, select the firewall action to perform on matching traffic.
- Optional. Select an iRule to trigger when the firewall rule matches.iRule sampling (available when an iRule is selected) allows you to specify how frequently an iRule is triggered when the rule matches. For example, if the value 5 is entered, the iRule triggers every 5th match.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickDone Editingto add the firewall rule to the policy.
- UnderID, verify the new Rule is in the proper order.You can drag and drop Rules and Rule Lists to reorder them.
- ClickCommit Changes to Systemat the top of the page.
The new firewall rule is created and displayed on the firewall policy screen.
