Manual Chapter : Common Elements for Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Common Elements for Network Firewall

  1. Create a rule list that activates another rule list in one of two ways:
    • Security
      Network Firewall
      Policies
      policy_name
      Add
      Type
      Rule List
    • Security
      Network Firewall
      Active Rules
      Add
      Type
      Rule List
  2. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  3. From the
    Context
    list, select
    All
    .
  4. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens, or the policy expands on the screen.
  5. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  6. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  7. On the Main tab, click
    Security
    Network Firewall
    User Lists
    .
    The User Lists screen opens.
  8. On the Main tab, click
    Security
    Network Firewall
    Address Lists
    .
    The Address Lists screen opens.
  9. On the Main tab, click
    Security
    Network Firewall
    Port Lists
    .
    The Port Lists screen opens.
  10. On the Main tab, click
    Security
    Network Firewall
    Schedules
    .
    The Schedules screen opens.
  11. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Feed Lists
    .
    The Feed Lists screen opens.
  12. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Blacklist Categories
    .
    The Blacklist Categories screen opens.
  13. On the Main tab, click
    Security
    Network Firewall
    IP Intelligence
    Policies
    .
    The IP Intelligence Policies screen opens.
  14. On the Main tab, click
    DoS Setup
    IP Intelligence
    Policies
    .
    The IP Intelligence Policies screen opens.
  15. On the Main tab, click
    Security
    Protocol Security
    Inspection Profiles
    .
    The Inspection Profiles screen opens.
  16. On the Main tab, click
    Security
    Protocol Security
    Inspection List
    .
    The Inspection List screen opens.
  17. On the Main tab, click
    Security
    Protocol Security
    Inspection Logs
    .
    The Inspection Logs screen opens.
  18. From the
    Global Policy
    list, select the IP Intelligence policy to apply to all traffic on the BIG-IP system.
  19. Look at the status area for Advanced Firewall Manager. If the status shows
    Firewall: Pending Rules Compilation
    , the rules are ready to be manually compiled.
  20. Look at the status area for the Advanced Firewall Manager. If the status shows
    Firewall: Pending Rules Deployment
    , the rules are ready to be manually deployed.
  21. Click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes.
  22. Click the
    Firewall: Pending Rules Compilation
    link. Alternatively, you can click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes. If the policy requires compilation, the
    Firewall Policy Status
    is
    Pending Rules Compilation
    .
  23. Next to the
    Policy Status
    setting, select
    Advanced
    to review additional policy compilation and deployment statistics.
    These statistics include the compilation and deployment mode,
    Deployment Start Time
    ,
    Deployment End Time
    ,
    Number of Micro Rules
    , the
    Active BLOB
    , and whether the active BLOB is MD5 verified.
  24. Click the
    Firewall: Pending Rules Deployment
    link. Alternatively, you can click
    Security
    Event Logs
    Network
    Policy Status
    .
    The Policy Status screen opens, showing the firewall status, an overview of the most recent compilation, and a list of the most recent configuration changes. If the policy is compiled, and requires deployment, the
    Firewall Policy Status
    is
    Pending Rules Deployment
    .
  25. On the Main tab, click
    Security
    Options
    Network Firewall
    .
    The Network Firewall screen opens to Firewall Options.
  26. On the Main tab, click
    Security
    Options
    Blacklist Publisher
    .
    The Blacklist Publisher screen opens.
  27. On the Main tab, click
    Security
    Network Address Translation
    Active Rules
    .
    The Active Rules screen opens.
  28. On the Main tab, click
    Security
    Network Address Translation
    Policies
    .
    The Policies screen opens.
  29. On the Main tab, click
    Security
    Network Address Translation
    Destination Translation
    .
    The Destination Translation screen opens.
  30. On the Main tab, click
    Security
    Network Address Translation
    Source Translation
    .
    The Source Translation screen opens.
  31. In the FQDN Resolver area, from the
    Global Context
    list, select the DNS resolver.
  32. In the
    Refresh Interval
    field, specify how often the DNS resolver refreshes the IP addresses associated with fully qualified domain names, in minutes.
    The default refresh interval is
    60 minutes
    .
  33. From the
    Firewall Compilation Mode
    list, select the compilation mode for the firewall ruleset.
    • Select
      Automatic
      to compile the firewall ruleset whenever a change is made to any firewall item that is used in the firewall ruleset.
    • Select
      Manual
      to delay compilation of the firewall ruleset, collect all firewall rule changes, and apply the entire set of changes manually at another time.
  34. From the
    Firewall Deployment Mode
    list, select the deployment mode for firewall ruleset changes.
    • Select
      Automatic
      to deploy the firewall ruleset whenever a change is compiled, either manually or automatically.
    • Select
      Manual
      to delay deployment of the firewall ruleset, collect all compiled firewall ruleset changes, and deploy the entire set of changes manually at another time.
  35. Next to
    Inline Rule Editor
    , select
    Enabled
    .
  36. From the
    Global Context
    list, select the default action for the global rule, when the traffic matches no other rule.
    • Select
      Drop
      to drop traffic silently.
    • Select
      Reject
      to drop traffic, and send the appropriate reject message for the protocol.
  37. To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Enforcement
    list, select
    Enabled
    and then select the firewall policy to enforce from the
    Policy
    list.
  38. To enforce any inline rules that apply to the selected context, and to not apply a firewall policy: in the Network Firewall area, from the
    Enforcement
    list, select
    Inline Rules
    .
  39. To stage rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Staging
    list, select
    Enabled
    and then select the firewall policy to stage from the
    Policy
    list.
  40. In the Rules area, click
    Add
    to add a firewall rule to the list.
  41. Click
    Add Rule
    to add a firewall rule to the policy.
    A blank rule appears in the policy.
  42. From the policy list, click the name of the NAT policy to which to add the rule.
    The NAT policy screen opens.
  43. Click
    Add Rule
    to add a NAT rule to the policy.
    Click the arrow next to
    Add Rule
    if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  44. Click
    Add Rule
    Add rule to Global
    to add a NAT rule to the global policy.
    Click the arrow next to
    Add Rule
    if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  45. Click
    Add Rule
    Add rule to Route Domain
    to add a NAT rule to the route domain.
    Click the arrow next to
    Add Rule
    if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  46. Click
    Add Rule
    Add rule to Virtual Server
    to add a NAT rule to the virtual server.
    Click the arrow next to
    Add Rule
    if you want to choose whether to add the rule at the beginning or end of the list. Note that a rule must be selected to add a rule before or after it.
    A blank rule appears in the policy.
  47. In the
    State
    column, select the rule state.
    • Select
      Enabled
      to apply the rule on the protocol, addresses, and ports specified.
    • Select
      Disabled
      to disable the rule.
  48. In the Rules area, click
    Add
    to add a firewall rule list to the policy.
  49. Click
    Add Rule List
    to add a firewall rule list to the policy.
  50. Click
    Create
    to create a new user list.
  51. Click
    Create
    to create a new address list.
  52. Click
    Create
    to create a new policy.
  53. Click
    Create
    to create a new port list.
  54. Click
    Create
    to create a new firewall schedule.
  55. Click
    Create
    to create a new IP Intelligence policy.
  56. Click
    Create
    to create a new IP Intelligence blacklist category.
  57. Click
    Create
    to create a new IP Intelligence feed list.
  58. Click
    Reorder
    to enable reordering in the firewall rule list.
    With reordering enabled, you can drag and drop firewall rules within the list, to change rule precedence.
  59. In the
    Name
    column, type the name and an optional description in the fields.
  60. In the
    Description
    field, type or change the optional description.
  61. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  62. From the
    Order
    list, set the order for the firewall rule.
    You can specify that the rule be first or last in the rule list, or before or after a specific rule.
  63. To reorder a rule in a policy, click and hold anywhere in the rule row, and drag the rule to a new position within the list.
  64. To quickly enable or disable a rule in a policy, click the check box next to the rule ID and click the
    Enable
    or
    Disable
    button, then click
    Commit Changes to System
    .
  65. From the
    Type
    list, select whether you are creating a standalone network firewall rule or creating the rule from a predefined rule list.
    If you create a firewall rule from a predefined rule list, only the
    Name
    ,
    Description
    ,
    Order
    ,
    Rule List
    , and
    State
    options apply, and you must select or create a rule list to include.
  66. From the
    Policy Type
    list, select whether you want to view
    Enforced
    or
    Staged
    policies.
    If you select to view
    Staged
    policies, you can not view management port rules, as they cannot be staged.
  67. From the
    Type
    list, select whether you are creating a standalone network firewall policy rule or creating a rule list.
    If you create a firewall policy rule list, only the
    Name
    ,
    Description
    ,
    Order
    ,
    Rule List
    , and
    State
    options apply, and you must select or create a rule list to include.
  68. In the
    State
    column, select the rule state.
    • Select
      Enabled
      to apply the firewall rule or rule list to the addresses and ports specified.
    • Select
      Disabled
      to set the firewall rule or rule list to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule or rule list according to the selected schedule.
  69. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall policy rule or rule list to the addresses and ports specified.
    • Select
      Disabled
      to set the firewall policy rule or rule list to not apply at all.
    • Select
      Scheduled
      to apply the firewall policy rule or rule list according to the selected schedule.
  70. If you select
    Scheduled
    , from the
    Schedule
    list, select the schedule for the firewall policy rule.
    This schedule is applied when the firewall policy rule state is set to
    Scheduled
    .
    You cannot save a scheduled rule when the firewall compilation or deployment mode is manual.
  71. From the
    Policy Type
    list, select whether the policy is to be enforced or staged.
    This field does not appear when you configure a management port rule.
  72. From the
    Policy
    list, select a predefined policy, or select
    New
    and type a name for the policy in the
    Name
    field.
    This field does not appear when you configure a management port rule.
  73. From the
    Context
    list, select the context for the firewall rule.
    For a firewall rule in a rule list, the context is predefined and cannot be changed.
  74. From the
    Context
    list, select the context for which to view firewall rules.
    If you are viewing staged policies, you cannot select the
    Management Port
    context in this field, as management port rules cannot be staged.
  75. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  76. View the rule hit count in the
    Count
    column.
    The rule hit count shows how many total times a rule hit has occurred. A very low number indicates that the rule is infrequently hit. A count of
    0
    indicates the rule has never been hit.
  77. View the latest match date in the
    Latest Match
    column.
    The latest match column lists the last time the rule was hit. An old date indicates that the rule has not been hit in a long time.
    Never
    indicates that the rule has never been hit.
  78. View the firewall rule states in the
    State
    column.
    Each rule is listed as Enabled, Disabled, or Scheduled. In addition, a rule can have one of the following states. View and adjust rules with these states, if necessary.
    (Redundant)
    The rule is enabled, disabled, or scheduled, and redundant. All the functionality of this rule is provided by a previous rule or rules. Hover over the
    State
    column to see why the rule is considered redundant, and possible solutions. Typically you can disable or delete a redundant rule with no net effect on the system.
    (Conflicting)
    The rule is enabled, disabled, or scheduled, and conflicting. All the match criteria of this rule is covered by another rule or rules, but this rule has a different action. Hover over the
    State
    column to see why the rule is considered conflicting, and possible solutions. Typically you should disable or delete a conflicting rule. Because the rule criteria is matched prior to the conflicting rule, there it typically no net change in processing. Note that the
    Accept
    and
    Accept Decisively
    actions are treated as conflicting by the system.
    (Conflicting & Redundant)
    The rule is enabled, disabled, or scheduled, and conflicting or redundant with the actions of more than one other rule. Typically you should disable or delete a conflicting and redundant rule.
  79. From the
    Schedule
    list, select the schedule for the firewall rule.
    This schedule is applied when you set the firewall rule state as
    Scheduled
    .
  80. In the
    Source
    list, specify users and groups to which this rule applies.
    • From the
      User
      list, select
      Any
      to have the rule apply to any user.
    • From the
      User
      list, select
      Specify
      and click
      User
      ,
      Group
      , or
      User List
      to specify a user, group, or user list packet source to which the rule applies. When selected, you can type a user or group name in the format
      domain\user_name
      or
      domain\group_name
      . You can specify a user list by selecting it from the list. Click
      Add
      to add a selected user, group, or user list to the packet source list.
  81. In the
    Source
    list, specify addresses and geolocated sources to which this rule applies.
    • From the
      Address/Region
      list, select
      Any
      to have the rule apply to any packet source IP address or geographic location.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address
      to specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the
      Address
      field, then click
      Add
      to add them to the address list.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address List
      to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Country/Region
      to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click
      Add
      to add it to the Source address list.
  82. From the Source
    Address/Region
    list, select the type of source address to which this rule applies.
    • Select
      Any
      to have the rule apply to any packet source IP address.
    • Select
      Specify
      and click
      Address
      to specify one or more packet source addresses to which the rule applies. When selected, you can type single IP addresses or fully qualified domain names (FQDNs) into the
      Address
      field, then click
      Add
      to add them to the address list.
    • Select
      Specify
      and click
      Address List
      to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • Select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
  83. In the
    Source
    field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click
    Add
    .
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  84. In the
    Destination
    field, specify the destination addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, or an address list or port list. After you complete an entry, click
    Add
    .
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  85. From the
    Log Profile
    list, select a logging profile to apply to the NAT rule.
    You can configure the logging profile on the virtual server security policy, instead of on the match rule.
  86. In the
    Source
    list, specify IP address and geolocated sources to which this rule applies.
    • From the
      Address/Region
      list, select
      Any
      to have the rule apply to any packet source IP address or packet source geographic location.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address
      to specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses FQDNs into the
      Address
      field, then click
      Add
      to add them to the address list.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address List
      to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
    • From the
      Address/Region
      list, select
      Specify
      and click
      Country/Region
      to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click
      Add
      to add it to the Source address list.
  87. In the
    Source
    field, begin typing to specify a source address.
    As you type, options will appear that match your input. Select the source option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled
    add new source
    . A source address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Subscriber
    • Subscriber group
    • Address list
  88. From the Destination
    Address/Region
    list, select the type of packet destination address to which this rule applies.
    • Select
      Any
      to have the rule apply to any IP packet destination address.
    • Select
      Specify
      and click
      Address
      to specify one or more packet destination addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses FQDNs into the
      Address
      field, then click
      Add
      to add them to the address list.
    • Select
      Specify
      and click
      Address List
      to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • Select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
  89. In the
    Destination
    field, begin typing to specify a destination address.
    As you type, options will appear that match your input. Select the destination option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled
    add new destination
    .
    A destination address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Address list
  90. In the Destination area and from the
    Address/Region
    list, select the type of packet destination address to which this rule applies.
    • Select
      Any
      to have the rule apply to any IP packet destination address.
    • Select
      Specify
      and click
      Address
      to specify one or more packet destination IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the
      Address
      field, then click
      Add
      to add them to the address list.
    • Select
      Specify
      and click
      Address List
      to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • Select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
    • Select
      Specify
      and click
      Country/Region
      to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click
      Add
      to add it to the Destination address list.
  91. In the
    Users
    area, add users and user groups.
    • To add a user, select
      User
      , then type the user name in the form
      domain\user_name
      .
    • To add a group, select
      Group
      , then type the group in the form
      domain\group_name
      .
  92. Click
    Add
    to add the user or group to the user list.
  93. From the Destination
    Address/Region
    list, select the type of packet destination address to which this rule applies.
    • Select
      Any
      to have the rule apply to any packet destination IP address.
    • Select
      Specify
      and click
      Address
      to specify one or more packet destination IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the
      Address
      field, then click
      Add
      to add them to the address list.
    • Select
      Specify
      and click
      Address List
      to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
    • Select
      Specify
      and click
      Address Range
      to specify a contiguous range of packet destination IP addresses inside the firewall to which the rule applies. When selected, you can type a start and end IP address in the fields, then click
      Add
      to add the IP address range to the address list.
    • Select
      Specify
      and click
      Country/Region
      to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you don't select a specific state or province, the entire country is selected. After you select a geographic location, click
      Add
      to add it to the Destination list.
  94. From the Source
    Port
    list, select the type of packet source ports to which this rule applies.
    • Select
      Any
      to have the rule apply to any packet source port.
    • Select
      Specify
      and click
      Port
      to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the
      Port
      field, then click
      Add
      to add them to the port list.
    • Select
      Specify
      and click
      Port Range
      to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click
      Add
      to add the ports to the port list.
    • Select
      Specify
      and click
      Port List
      to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
  95. From the Destination
    Port
    list, select the type of packet destination ports to which this rule applies.
    • Select
      Any
      to have the rule apply to any port inside the firewall.
    • Select
      Specify
      and click
      Port
      to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the
      Port
      field, then click
      Add
      to add them to the port list.
    • Select
      Specify
      and click
      Port Range
      to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click
      Add
      to add the ports to the port list.
    • Select
      Specify
      and click
      Port List
      to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the
      Add
      button. Similarly, to remove the list from this rule, select the list and click the
      Delete
      button.
  96. From the Source
    VLAN/Tunnel
    list, select the VLAN on which this rule applies.
    • Select
      Any
      to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select
      Specify
      to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the
      Available
      list to the
      Selected
      list. Similarly, you can remove the VLAN from this rule, by moving the VLAN from the
      Selected
      list to the
      Available
      list.
  97. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  98. In the
    Protocol
    column, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select
      Other
      and type the port number if the protocol is not listed.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  99. In the
    Protocol
    column, select the protocol to which the NAT rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    • Select
      Other
      and type the port number if the protocol is not listed.
  100. If you select ICMP or ICMPv6 as the rule protocol, add ICMP message types and codes in the fields that appear.
    If you do not specify specific ICMP/ICMPv6 message types and codes, the rule applies to any ICMP or ICMPv6 message type.
    • In the ICMP/ICMPv6 Message area, select an ICMP message type from the
      Type
      list, and select an ICMP message code from the
      Code
      list.
    • Click Add to add the message type and code to the firewall rule.
  101. Optionally, to apply an iRule to traffic matched by this rule, from the
    iRule
    list, select an iRule.
  102. Optionally, to send traffic matched by this rule to a specific virtual server, from the
    Send to Virtual
    list, select the virtual server.
    Traffic that is sent to a virtual server is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  103. When you select an iRule to start in a firewall rule, you can enable iRule sampling, and select how frequently the iRule is started, for sampling purposes. The value you configure is
    one out of n
    times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, select
    Enabled
    , then set this field to
    5
    .
  104. When you select an iRule to start in a firewall rule, you select how frequently the iRule is started, for sampling purposes. The value you configure is
    one out of n
    times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, set this field to
    5
    . To trigger the rule every time the rule matches a flow, set this field to
    1
    .
  105. From the
    Action
    list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Accept
    Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop
    Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject
    Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively
    Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  106. In the
    Actions
    column, from the
    Action
    list, select the firewall action for traffic matching the source, destination, and protocol. Choose from one of the these actions:
    Accept
    Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop
    Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject
    Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively
    Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  107. To apply custom timeouts or port misuse profiles to flows that match this rule, from the
    Service Policy
    field, specify a service policy.
  108. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  109. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  110. From the
    Log Configuration Changes
    list specify the logging option for firewall ruleset compilation and deployment configuration changes.
    • Select
      Automatic
      to specify that configuration changes are logged only if
      Firewall Compilation Mode
      or
      Firewall Deployment Mode
      is set to
      Manual
      .
    • Select
      On
      to specify that policy configuration changes are always logged.
    • Select
      Off
      to specify that policy configuration changes are not logged.
  111. Select the log publisher to which to log policy configuration changes.
    This field appears only if you specify the
    Log Configuration Changes
    setting as
    Automatic
    or
    On
    .
  112. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  113. In the
    Logging
    column, check
    Logging
    to enable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  114. Click
    Update
    .
    The list screen and the updated item are displayed.
  115. Click
    Update
    .
    The options are updated.
  116. Click
    Commit Changes to System
    .
    The policy with the updated rule is displayed.
  117. Click
    Finished
    .
    The list screen and the new item are displayed.
  118. Click
    Finished
    .
    The list screen and the new item are displayed. You can view matched users and groups in local and remote logs, and reports for firewall rules.
  119. Click
    Create
    .
    The New Source Translation screen opens.
  120. From the
    Type
    list, select
    Static NAT
    .
  121. From the
    Type
    list, select
    Static PAT
    .
  122. From the
    Type
    list, select
    Dynamic PAT
    .
  123. From the
    PAT Mode
    list, select
    Deterministic
    .
  124. From the
    PAT Mode
    list, select
    NAPT
    .
  125. From the
    PAT Mode
    list, select
    Port Block Allocation
    .
  126. In the Port Block Allocation area, retain the first five default settings, or as necessary, change to the appropriate value.
  127. For the last setting in the Port Block Allocation area,
    Periodic Refresh Log
    , type a number of minutes.
    The default value is
    0
    (disabled).
  128. In the
    Addresses
    field, add an address or address range on which source translation is performed. Click
    Add
    for each address or address range.
  129. In the
    Addresses
    field, add an address or address range on which destination translation is performed. Click
    Add
    for each address or address range.
  130. From the
    Translated Source
    list, select the source translation item to apply to matched traffic.
  131. From the
    Translated Destination
    list, select the destination translation item to apply to matched traffic.
  132. In the
    Ports
    field, add a port or port range on which source translation is performed. Click
    Add
    for each port or port range.
  133. In the
    Ports
    field, add a port or port range on which destination translation is performed. Click
    Add
    for each port or port range.
  134. From the
    ICMP Echo
    list, select whether to enable or disable ICMP echo on translated addresses.
  135. From the
    Egress interfaces
    area, specify the egress interfaces on which source translation is enabled or disabled. Select
    Enabled on
    or
    Disabled on
    to specify the egress interface setting.
    Egress interfaces include tunnels and VLANs.
  136. From the Inbound Mode list, select the persistence setting for NAT translation entries.
    • None
      disables persistence. With this setting, the mapping of address X and port x (X:x) to address:port X':x' is never guaranteed to persist from one session to the next.
    • Endpoint Independent Filtering
      specifies that the translation attempts to reuse both the address and port mapping (X:x to X':x') for subsequent packets sent from the same internal IP address and port. The BIG-IP system attempts to map X:x to X':x' in every session. This is called
      Endpoint Independent Mapping
      in
      RFC 4787, section 4.1
      .
  137. From the Mapping Mode list, select the mapping mode to determine how dynamic ports are assigned, and specify the timeout in seconds for the mapping mode.
    • Select
      Address Pooling Paired
      to enable all the sessions associated with an internal IP address to map to the same external IP address for the duration of the session.
    • Select
      Endpoint Independent Mapping
      to assign the same external address and port for all connections from the host if it uses the same internal port.
    • Select
      None
      to assign no mapping mode to dynamic port assignments.
  138. In the Port Block Allocation area, configure the settings for port blocks.
    Block Idle Timeout
    Specifies the amount of time in seconds that an assigned block of ports remains available when idle before it times out.
    Block Lifetime
    Specifies the lifetime in seconds of a block of ports.
    Block Size
    Specifies the number of ports per block. Each block is assigned to one client. A client can use all ports in a block multiplied by the number of available blocks (Block Limit), up to the connection limit, if one is set.
    Client Block Limit
    Specifies the number of blocks that can be assigned to a client.
    Zombie Timeout
    Specifies the timeout duration for a zombie port block, which is a timed out port block with one or more active connections. When the timeout duration expires, connections using the zombie block are killed and the zombie port block becomes an available port block. The default is
    0
    , which corresponds to an infinite timeout. The setting is ignored if the block lifetime is
    0
    .
  139. If required, in the
    Client Connection Limit
    field, specify the maximum number of simultaneous translated connections a client or subscriber is allowed to have.
    The default value of
    0
    specifies no limit.
  140. From the
    Hairpin Mode
    list, enable or disable hairpin mode.
    When a client sends a packet to another client in the same private network,
    hairpin mode
    sends the packet directly to the destination client's private address; the BIG-IP system immediately translates the packet's public-side destination address. Rather than going out to the public network and coming back later for translation, the packet takes a hairpin turn at the BIG-IP device.
  141. In the Backup Address field, specify backup IP addresses.
    This setting creates a pool of IP addresses available for backup members, which are used if Deterministic mode translation fails and falls back to NAPT mode. This is a collection of IP prefixes with their prefix lengths. You can type backup members in the
    Add a Backup IP Address
    field, and click
    Add
    .
  142. Click
    Create
    .
    The New Destination Translation screen opens.
  143. From the
    Type
    list, select
    Static NAT
    .
  144. From the
    Type
    list, select
    Static PAT
    .
  145. Click
    Submit
    .
  146. On the Main tab, click
    Network
    Network Security
    Packet Tester
    .
    The Packet Tester screen opens.
  147. From the
    Protocol
    list, select
    TCP
    .
  148. From the
    Protocol
    list, select
    UDP
    .
  149. From the
    Protocol
    list, select
    SCTP
    .
  150. From the
    Protocol
    list, select
    ICMP
    .
  151. Select any TCP flags to set in the TCP packet.
    You can select
    SYN
    ,
    ACK
    ,
    RST
    ,
    URG
    ,
    PUSH
    ,
    FIN
    , or a combination.
  152. For the
    Source
    setting, specify the source
    IP Address
    from which the test packet should appear to originate.
  153. Specify the source
    Port
    from which the test packet should appear to originate.
  154. From the list select the source
    VLAN
    from which the test packet should appear to originate.
  155. In the
    TTL
    field, specify the time to live for the test packet in seconds.
    The default setting is
    255
    seconds.
  156. For the
    Destination
    setting, specify the destination
    IP Address
    to which the test packet should appear to be sent.
  157. In the
    Destination
    setting, specify the destination
    Port
    to which the test packet should appear to be sent.
  158. In the
    Trace Options
    setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  159. In the
    Trace Options
    setting, specify whether to trigger logging for the packet, based on the packet test results.
  160. Click
    Run Trace
    to run the packet test.
  161. On the Main tab, click
    Security
    Options
    Network Firewall
    .
The new source translation item appears on the Source Translation screen.
Associate the source translation item to a NAT policy, and associate the policy to a virtual server, route domain, or to the global context.