Manual Chapter :
Compiling and Deploying Network Firewall rules
Applies To:
Show VersionsBIG-IP AFM
- 14.1.3, 14.1.2, 14.1.0
Compiling and Deploying Network Firewall rules
About compiling and deploying rules in the Network Firewall
The BIG-IP
Advanced Firewall Manager (AFM) allows you to compile
and deploy rules either manually or automatically. Rules are compiled and deployed automatically
by default. However, in a large configuration with many rulesets there can a large number of
micro rules created by the compilation process, even when only a small number of rules are added
or edited. For such configurations, it might be advantageous to compile all collected rule
changes at once, manually. Once rules are compiled, they can be deployed manually or
automatically. Deploying manually allows greater control over the rollout of configuration
changes. These options provide a more efficient approach to managing large firewall rule sets.
When manual rule compilation, manual rule deployment, or both are enabled, the AFM user interface
provides feedback about the compilation and deployment status of the current ruleset.
Task list
Configuring manual
or automatic policy compilation for firewall rules
Set the compilation mode to Manual if you want to
collect several rule changes, and then compile them all at one time, or if you want to
delay the rule compilation process to another time.
- On the Main tab, click.The Network Firewall screen opens to Firewall Options.
- From theFirewall Compilation Modelist, select the compilation mode for the firewall ruleset.
- SelectAutomaticto compile the firewall ruleset whenever a change is made to any firewall item that is used in the firewall ruleset.
- SelectManualto delay compilation of the firewall ruleset, collect all firewall rule changes, and apply the entire set of changes manually at another time.
- From theLog Configuration Changeslist specify the logging option for firewall ruleset compilation and deployment configuration changes.
- SelectAutomaticto specify that configuration changes are logged only ifFirewall Compilation ModeorFirewall Deployment Modeis set toManual.
- SelectOnto specify that policy configuration changes are always logged.
- SelectOffto specify that policy configuration changes are not logged.
- Select the log publisher to which to log policy configuration changes.This field appears only if you specify theLog Configuration Changessetting asAutomaticorOn.
- ClickUpdate.The firewall policy compilation mode is configured.
Compiling firewall
rules manually
When you have configured the firewall in manual
compilation mode, you must manually compile firewall rules after your configuration
changes are complete.
- Look at the status area for Advanced Firewall Manager. If the status showsFirewall: Pending Rules Compilation, the rules are ready to be manually compiled.
- Click theFirewall: Pending Rules Compilationlink. Alternatively, you can click .The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes. If the policy requires compilation, theFirewall Policy StatusisPending Rules Compilation.
- ClickCompile.The system compiles the collected changes.
After the ruleset is compiled, review the compilation statistics for
Compilation Start Time
, Compilation End Time
, and Last Successful Compilation Time
. The
status in the Configuration Change
Event
column also shows Compile Success
after a successful compilation.If you set the
Firewall Deployment Mode
to
automatically deploy after a configuration change, the policies are deployed. If you set
the Firewall Deployment Mode
to manual, you must now deploy the policies.Configuring manual
or automatic policy deployment for firewall rules
Set the deployment mode to Manual if you want to
compile rule changes without putting them into effect until a certain time.
You can not configure firewall schedules if the firewall deployment mode is
manual.
- On the Main tab, click.The Network Firewall screen opens to Firewall Options.
- From theFirewall Deployment Modelist, select the deployment mode for firewall ruleset changes.
- SelectAutomaticto deploy the firewall ruleset whenever a change is compiled, either manually or automatically.
- SelectManualto delay deployment of the firewall ruleset, collect all compiled firewall ruleset changes, and deploy the entire set of changes manually at another time.
- From theLog Configuration Changeslist specify the logging option for firewall ruleset compilation and deployment configuration changes.
- SelectAutomaticto specify that configuration changes are logged only ifFirewall Compilation ModeorFirewall Deployment Modeis set toManual.
- SelectOnto specify that policy configuration changes are always logged.
- SelectOffto specify that policy configuration changes are not logged.
- Select the log publisher to which to log policy configuration changes.This field appears only if you specify theLog Configuration Changessetting asAutomaticorOn.
- ClickUpdate.The firewall deployment mode is configured.
Deploying firewall rules manually
When you have configured the firewall in manual deployment mode, you must manually
deploy firewall rules after the rules are compiled.
- Look at the status area for the Advanced Firewall Manager. If the status showsFirewall: Pending Rules Deployment, the rules are ready to be manually deployed.
- Click theFirewall: Pending Rules Deploymentlink. Alternatively, you can click .The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of the most recent configuration changes. If the policy is compiled, and requires deployment, theFirewall Policy StatusisPending Rules Deployment.
- ClickDeploy.The system deploys the collected changes.
- Next to thePolicy Statussetting, selectAdvancedto review additional policy compilation and deployment statistics.These statistics include the compilation and deployment mode,Deployment Start Time,Deployment End Time,Number of Micro Rules, theActive BLOB, and whether the active BLOB is MD5 verified.
After the ruleset is deployed, the status in the
Configuration Change
Event
column also shows Deploy Success
after a
successful deployment.About firewall policy
compilation statistics
When firewall rules are recompiled, whether automatically with a rule
change, or manually with a manual compile event, the rule list or policy requires some server
resources to compile. With large rule sets and deployments, even minor rule changes can cause
very large recompilation events. You can view the resources used for policy compilation,
either for the entire firewall or by context.
Compiler statistics are displayed on a context for several items.
- Activation Time
- Displays the time at which firewall policies or rule lists were last activated on this context.
- Compilation Duration
- Displays the amount of time required to compile the rule sets or policies at the last activation.
- Compilation Size
- Displays the file size of the compiled rule sets or policies, after the last activation.
- Maximum Transient Memory
- Displays the maximum memory used to compile the rule sets or policies during the last activation.
Compiler statistics are displayed for several items when displayed for the
entire firewall.
- Firewall Compilation Mode
- Displays whether the firewall is configured to compile ruleset changes manually or automatically.
- Firewall Deployment Mode
- Displays whether the firewall is configured to deploy ruleset changes manually or automatically.
- Firewall Policy Status
- Displays whether the firewall ruleset isConsistent(all rules are currently compiled and deployed),Pending Rules Compilation(some rules have been changed, and the ruleset is not compiled), orPending Rules Deployment(the ruleset is compiled, but not deployed).
- Compilation Start Time
- Displays the time at which the most recent firewall ruleset compilation event last started.
- Compilation End Time
- Displays the time at which at which the most recent firewall ruleset compilation event last completed.
- Last Successful Compilation Time
- Displays the time at which the last successful compilation occurred.
- Deployment Start Time
- Displays the most recent deployment start time.
- Deployment End Time
- Displays the most recent deployment end time.
- Number of Micro Rules
- Displays the number of micro rules compiled in the most recent ruleset compilation event.
- Active BLOB
- Displays the internal name for the active group of rules to be compiled.
- BLOB MD5 Verified
- Displays whether the BLOB MD5 is verified.
Viewing compilation statistics for a firewall rule or policy
You can view the most recent compilation statistics for a rule list or policy on
the global context, or on a route domain, self IP, or virtual server context.
- On the Main tab, click.The Active Rules screen opens.
- From theContextlist, selectAll.
- Click on the name of the context for which you want to view statistics.For example, the global context is always calledGlobal. A virtual server or self IP has the name you assigned when you created it; for example,vs_http_134orself_lb_11. A route domain is identified with a number; for example,0.
- View statistics for rule compilation.
- In the global context, from thePolicy Settingslist, selectAdvanced.
- In a route domain, self IP, or virtual server context, click the Security tab. Then, from thePolicy Settingslist, selectAdvanced.
Statistics are displayed for the most recent rule list and policy compilation on the selected
context.
Viewing compilation statistics for all network firewall rules and policies
You can view the most recent compilation statistics for the network
firewall.
- Click.The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes.
- Next to thePolicy Statussetting, selectAdvancedto review additional policy compilation and deployment statistics.These statistics include the compilation and deployment mode,Deployment Start Time,Deployment End Time,Number of Micro Rules, theActive BLOB, and whether the active BLOB is MD5 verified.
Compilation and deployment statistics are displayed for all network firewall
policies.