Manual Chapter : Applying AFM Network Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Applying AFM Network Firewall Policies

Applying a policy globally

You can apply an AFM Network Firewall policy to the global context, enforcing the policy on all traffic processed by the AFM system.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. Under
    Filter Active Rules List
    , click the
    Global
    link.
    The
    Global Firewall Rules
    screen opens.
  3. To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Enforcement
    list, select
    Enabled
    and then select the firewall policy to enforce from the
    Policy
    list.
  4. To stage rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Staging
    list, select
    Enabled
    and then select the firewall policy to stage from the
    Policy
    list.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Applying a policy to a virtual server

You must have created at least one virtual server.
You can apply an AFM Network Firewall policy to a specific virtual server, also known as a protected object, enforcing the policy only on traffic processed by that protected object.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
  2. Click the name of the virtual server to assign the firewall policy.
  3. On the menu bar at the top of the page, click
    Security
    Policies
  4. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , then select the firewall policy to enforce from the
    Policy
    list.
  5. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , then select the firewall policy to stage from the
    Policy
    list.
  6. Click
    Update
    to save the changes.
The policy you selected is enforced on the virtual server. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a policy to a Self IP

You must have created at least one self IP address.
You can apply an AFM Network Firewall policy to the self IP context, enforcing the policy on all traffic passing through that self IP.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click on the self IP address to which you want to add a network firewall policy.
  3. Click the
    Security
    tab.
  4. To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to enforce.
  5. To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to stage.
  6. Click
    Update
    to save the changes to the self IP.
The policy you selected is enforced at the self IP level. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a policy to a route domain

You must have created at least one route domain.
You can apply an AFM Network Firewall policy to a route domain, enforcing the policy only on all traffic in that route domain.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. Click the name of the route domain to show the route domain configuration.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the route domain: in the Network Firewall area: from the
    Enforcement
    list, select
    Enabled
    and then select the firewall policy to enforce from the
    Policy
    list.
  5. To stage rules from a firewall policy on the route domain: in the Network Firewall area, from the
    Staging
    list, select
    Enabled
    and then select the firewall policy to stage from the
    Policy
    list.
  6. Click
    Update
    to save the changes to the route domain.
The policy you selected is enforced at the route domain level. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a rule to the management port

You cannot apply an AFM Network Firewall policy to the management port context. Instead, you must create and apply one or more AFM Network Firewall rules directly to the management port context.
You can only add management port rules as inline rules. For all other contexts, you should add rule lists to policies.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. From the
    Context
    list, select
    Management Port
    .
  3. In the Rules area, click
    Add
    to add a firewall rule to the list.
  4. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  5. From the
    Order
    list, select the order in which the rule is processed
  6. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  7. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. From the Source
    Address/Region
    list, select
    Specify
    .
  9. Click
    Address List
    and select the appropriate address list object
  10. Click
    Add
    .
  11. From the Source
    Port
    list, select
    Specify
    .
  12. Click
    Port List
    and select the appropriate port list object.
  13. Click
    Add
    .
  14. From the Destination
    Address/Region
    list, select specify.
  15. Click
    Address List
    and select the appropriate address list object.
  16. Click
    Add
    .
  17. From the Destination
    Port
    list, select
    Specify
    .
  18. Click
    Port List
    and select the appropriate port list object.
  19. Click
    Add
    .
  20. From the
    Action
    list, select the firewall action to perform on matching traffic.
  21. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  22. Click
    Finished
The new firewall policy is being enforced on the BIG-IP AFM system management port.