Manual Chapter : Compiling and Deploying Network Firewall rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Compiling and Deploying Network Firewall rules

About compiling and deploying rules in the Network Firewall

The BIG-IP Advanced Firewall Manager (AFM) allows you to compile and deploy rules either manually or automatically. Rules are compiled and deployed automatically by default. However, in a large configuration with many rulesets there can a large number of micro rules created by the compilation process, even when only a small number of rules are added or edited. For such configurations, it might be advantageous to compile all collected rule changes at once, manually. Once rules are compiled, they can be deployed manually or automatically. Deploying manually allows greater control over the rollout of configuration changes. These options provide a more efficient approach to managing large firewall rule sets. When manual rule compilation, manual rule deployment, or both are enabled, the AFM user interface provides feedback about the compilation and deployment status of the current ruleset.

Task list

Configuring manual or automatic policy compilation for firewall rules

Set the compilation mode to Manual if you want to collect several rule changes, and then compile them all at one time, or if you want to delay the rule compilation process to another time.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
    The Network Firewall screen opens to Firewall Options.
  2. From the
    Firewall Compilation Mode
    list, select the compilation mode for the firewall ruleset.
    • Select
      Automatic
      to compile the firewall ruleset whenever a change is made to any firewall item that is used in the firewall ruleset.
    • Select
      Manual
      to delay compilation of the firewall ruleset, collect all firewall rule changes, and apply the entire set of changes manually at another time.
  3. From the
    Log Configuration Changes
    list specify the logging option for firewall ruleset compilation and deployment configuration changes.
    • Select
      Automatic
      to specify that configuration changes are logged only if
      Firewall Compilation Mode
      or
      Firewall Deployment Mode
      is set to
      Manual
      .
    • Select
      On
      to specify that policy configuration changes are always logged.
    • Select
      Off
      to specify that policy configuration changes are not logged.
  4. Select the log publisher to which to log policy configuration changes.
    This field appears only if you specify the
    Log Configuration Changes
    setting as
    Automatic
    or
    On
    .
  5. Click
    Update
    .
    The firewall policy compilation mode is configured.

Compiling firewall rules manually

When you have configured the firewall in manual compilation mode, you must manually compile firewall rules after your configuration changes are complete.
  1. Look at the status area for Advanced Firewall Manager. If the status shows
    Firewall: Pending Rules Compilation
    , the rules are ready to be manually compiled.
  2. Click the
    Firewall: Pending Rules Compilation
    link. Alternatively, you can click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes. If the policy requires compilation, the
    Firewall Policy Status
    is
    Pending Rules Compilation
    .
  3. Click
    Compile
    .
    The system compiles the collected changes.
After the ruleset is compiled, review the compilation statistics for
Compilation Start Time
,
Compilation End Time
, and
Last Successful Compilation Time
. The status in the
Configuration Change Event
column also shows
Compile Success
after a successful compilation.
If you set the
Firewall Deployment Mode
to automatically deploy after a configuration change, the policies are deployed. If you set the
Firewall Deployment Mode
to manual, you must now deploy the policies.

Configuring manual or automatic policy deployment for firewall rules

Set the deployment mode to Manual if you want to compile rule changes without putting them into effect until a certain time.
You can not configure firewall schedules if the firewall deployment mode is manual.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
    The Network Firewall screen opens to Firewall Options.
  2. From the
    Firewall Deployment Mode
    list, select the deployment mode for firewall ruleset changes.
    • Select
      Automatic
      to deploy the firewall ruleset whenever a change is compiled, either manually or automatically.
    • Select
      Manual
      to delay deployment of the firewall ruleset, collect all compiled firewall ruleset changes, and deploy the entire set of changes manually at another time.
  3. From the
    Log Configuration Changes
    list specify the logging option for firewall ruleset compilation and deployment configuration changes.
    • Select
      Automatic
      to specify that configuration changes are logged only if
      Firewall Compilation Mode
      or
      Firewall Deployment Mode
      is set to
      Manual
      .
    • Select
      On
      to specify that policy configuration changes are always logged.
    • Select
      Off
      to specify that policy configuration changes are not logged.
  4. Select the log publisher to which to log policy configuration changes.
    This field appears only if you specify the
    Log Configuration Changes
    setting as
    Automatic
    or
    On
    .
  5. Click
    Update
    .
    The firewall deployment mode is configured.

Deploying firewall rules manually

When you have configured the firewall in manual deployment mode, you must manually deploy firewall rules after the rules are compiled.
  1. Look at the status area for the Advanced Firewall Manager. If the status shows
    Firewall: Pending Rules Deployment
    , the rules are ready to be manually deployed.
  2. Click the
    Firewall: Pending Rules Deployment
    link. Alternatively, you can click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of the most recent configuration changes. If the policy is compiled, and requires deployment, the
    Firewall Policy Status
    is
    Pending Rules Deployment
    .
  3. Click
    Deploy
    .
    The system deploys the collected changes.
  4. Next to the
    Policy Status
    setting, select
    Advanced
    to review additional policy compilation and deployment statistics.
    These statistics include the compilation and deployment mode,
    Deployment Start Time
    ,
    Deployment End Time
    ,
    Number of Micro Rules
    , the
    Active BLOB
    , and whether the active BLOB is MD5 verified.
After the ruleset is deployed, the status in the
Configuration Change Event
column also shows
Deploy Success
after a successful deployment.

About firewall policy compilation statistics

When firewall rules are recompiled, whether automatically with a rule change, or manually with a manual compile event, the rule list or policy requires some server resources to compile. With large rule sets and deployments, even minor rule changes can cause very large recompilation events. You can view the resources used for policy compilation, either for the entire firewall or by context.
Compiler statistics are displayed on a context for several items.
Activation Time
Displays the time at which firewall policies or rule lists were last activated on this context.
Compilation Duration
Displays the amount of time required to compile the rule sets or policies at the last activation.
Compilation Size
Displays the file size of the compiled rule sets or policies, after the last activation.
Maximum Transient Memory
Displays the maximum memory used to compile the rule sets or policies during the last activation.
Compiler statistics are displayed for several items when displayed for the entire firewall.
Firewall Compilation Mode
Displays whether the firewall is configured to compile ruleset changes manually or automatically.
Firewall Deployment Mode
Displays whether the firewall is configured to deploy ruleset changes manually or automatically.
Firewall Policy Status
Displays whether the firewall ruleset is
Consistent
(all rules are currently compiled and deployed),
Pending Rules Compilation
(some rules have been changed, and the ruleset is not compiled), or
Pending Rules Deployment
(the ruleset is compiled, but not deployed).
Compilation Start Time
Displays the time at which the most recent firewall ruleset compilation event last started.
Compilation End Time
Displays the time at which at which the most recent firewall ruleset compilation event last completed.
Last Successful Compilation Time
Displays the time at which the last successful compilation occurred.
Deployment Start Time
Displays the most recent deployment start time.
Deployment End Time
Displays the most recent deployment end time.
Number of Micro Rules
Displays the number of micro rules compiled in the most recent ruleset compilation event.
Active BLOB
Displays the internal name for the active group of rules to be compiled.
BLOB MD5 Verified
Displays whether the BLOB MD5 is verified.

Viewing compilation statistics for a firewall rule or policy

You can view the most recent compilation statistics for a rule list or policy on the global context, or on a route domain, self IP, or virtual server context.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. From the
    Context
    list, select
    All
    .
  3. Click on the name of the context for which you want to view statistics.
    For example, the global context is always called
    Global
    . A virtual server or self IP has the name you assigned when you created it; for example,
    vs_http_134
    or
    self_lb_11
    . A route domain is identified with a number; for example,
    0
    .
  4. View statistics for rule compilation.
    • In the global context, from the
      Policy Settings
      list, select
      Advanced
      .
    • In a route domain, self IP, or virtual server context, click the Security tab. Then, from the
      Policy Settings
      list, select
      Advanced
      .
Statistics are displayed for the most recent rule list and policy compilation on the selected context.

Viewing compilation statistics for all network firewall rules and policies

You can view the most recent compilation statistics for the network firewall.
  1. Click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes.
  2. Next to the
    Policy Status
    setting, select
    Advanced
    to review additional policy compilation and deployment statistics.
    These statistics include the compilation and deployment mode,
    Deployment Start Time
    ,
    Deployment End Time
    ,
    Number of Micro Rules
    , the
    Active BLOB
    , and whether the active BLOB is MD5 verified.
Compilation and deployment statistics are displayed for all network firewall policies.