Manual Chapter : Policies and Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Policies and Rules

About policies and rules

AFM Network Firewall uses industry standard firewall policies containing ordered lists of firewall rules or rule lists. Network Firewall policies control network access to your data center using the criteria specified in the associated rules or rule lists. Once created, BIG-IP AFM network firewall policies are applied to BIG-IP system access points, or contexts, such as a virtual server, Self IP address or the entire device at the global context.

Staging policies

You can also stage a firewall policies in any contexts. This allows you to view hit rate statistics and verify the potential impact a new policy may have on traffic processing.

Management port

Management port rules are configured directly on the management port context itself, as a result, policies can not be associated with the management port.

About AFM Network Firewall contexts

Because AFM Network Firewall policies can be applied to a variety of different contexts and policies may at times overlap, it is important to understand the order of processing for each context.
Order processed
Firewall context
Description
1st
Global
Applies to all traffic being processed.
2nd
Route Domain
Applies to a specific route domain.
3rd
Virtual Server/Self IP
Applies to a virtual server or Self IP address.
Independent
Management Port
Applied to the BIG-IP system management port.
AFM Network Firewall processes policies in order, progressing from the global, to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port.

AFM Network Firewall rule actions

These listed actions are available in a firewall rule.
AFM Network Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.
Firewall action
Description
Accept
Packets that match the rule are accepted and traverse the system as if the firewall is not present.
Drop
Packets that match the rule are dropped. Dropping a packet is a silent action with no notification to the source system. This causes the connection to be retried until the retry threshold is reached.
Reject
Packets that match the rule are rejected. Rejecting a more graceful way to deny packets as it sends a destination unreachable message to the source system.
Accept Decisively
Packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from Network A to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.

AFM Network Firewall rule UUIDs

To improve troubleshooting and auditing, firewall rules can be identified using a 32 character Universally Unique Identification Number (UUID). For example:
01727c12-8c34-69cc-1ec2-160b2d2014aa
When network packets match firewall rules with UUIDs, the resulting log messages will contain the matching rule's UUID. This provides much greater visibility into firewall events.
To add UUIDs to log messages, you must also enable the
Log UUID Field
option in the AFM logging profile.
The following table lists some of the UUID behaviors as they relate to the BIG-IP system.
System Feature
Description
High-availability (HA)
UUIDs are shared between devices in an HA configuration
Configuration
UUIDs remain in the configuration. They can be restored with a UCS installation for example.
Logging
UUID logging can be enabled, allowing you to match events to specific rules.
Editing
UUIDs can not be edited.
Resource utilization
UUID generation and logging slightly increase CPU utilization and disk space utilization.
You can enable UUIDs per rule, or enable UUID generation to automatically occur when a new rule is created. To enable automatic UUID creation for all rules, navigate to
Security
Options
Firewall Options
Auto Generate UUID
.

AFM Network Firewall rule options

These listed options are available in a firewall rule.
AFM Network Firewall rule options are used to designate very specific packet matching criteria and the action to take once a packet match is made.
Firewall rule option
Description
Name
Specify the name of the rule.
Auto Generate UUID
Identify each firewall rule with a 36 character Universally Unique Identification Number (UUID).
Description
Specify descriptive text for the rule.
Order
Specify the order of the rule in the list.
State
Specify the state of the rule. Options include:
  • Enabled - The system applies the firewall rule.
  • Disabled - The system does not apply the firewall rule.
  • Scheduled - The system applies the firewall rule based on schedule
Protocol
Specify the protocol to which the rule applies. Options include over 250 protocols.
Source
Specify the packet source to which the rule applies. Options include:
  • Subscriber - Specify subscriber or group ID.
  • Address/Region - Specify IPv4 / IPv6 addresses or geographical regions.
  • VLAN/Tunnel - Specify a VLAN or tunnel
Destination
Specify the packet destination to which the rule applies. This includes IPv4 / IPv6 addresses or geographical regions.
iRule
Specify an iRule to execute when the rule is matched.
Action
Specify a standard firewall rule action: Accept, Drop, Reject or Accept Decisively.
Send to Virtual
Specify a virtual server to which matching traffic is sent. This option is only available for rules used in global or route domain contexts.
Logging
Specify whether logging is enabled or disabled for the firewall rule.
Service Policy
Specify a service policy that applies when the rule is matched.
Protocol Inspection Profile
Specify a protocol inspection profile that applies when the rule is matched.
Classification Policy
Specify a classification policy that applies when the rule is matched.

About rule lists

AFM Network Firewall uses rule lists to collect multiple firewall rules. While you can create firewall policies containing multiple firewall rule entries, F5 recommends creating and associating rule lists with your firewall policies to simplify administration.

Create a rule list

You can create an AFM Network Firewall rule list, to which you can add multiple firewall rules. The new rule list can be referenced when modifying or creating a firewall policy.
  1. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  2. Click the
    Create
    button to create a new rule list.
  3. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  4. Click
    Finished
    .
    The empty firewall rule list is displayed.
The new rule list appears in the Rule Lists.
Next, add one or more firewall rules to the rule list that define firewall actions.
Add rules to a rule list
You can add one or more firewall rules to a rule list. The rule list will be associated with a policy later.
  1. On the Main tab, click
    Security
    Network Firewall
    Rule Lists
    .
    The Rule Lists screen opens.
  2. From the list, click the name of a rule list you previously created.
    The Rule List properties screen opens.
  3. In the Rules area, click
    Add
    to add a firewall rule to the list.
  4. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  5. From the
    Order
    list, set the order for the firewall rule.
    You can specify that the rule be first or last in the rule list, or before or after a specific rule.
  6. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  7. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. From the Source
    Address/Region
    list, select
    Specify
    .
  9. Click
    Address List
    and select the appropriate address list object
  10. Click
    Add
    .
  11. From the Source
    Port
    list, select
    Specify
    .
  12. Click
    Port List
    and select the appropriate port list object.
  13. From the Destination
    Address/Region
    list, select specify.
  14. Click
    Address List
    and select the appropriate address list object.
  15. Click
    Add
    .
  16. From the Destination
    Port
    list, select
    Specify
    .
  17. Click
    Port List
    and select the appropriate port list object.
  18. Click
    Add
    .
  19. Optional. Select an iRule to trigger when the firewall rule matches.
    iRule sampling (available when an iRule is selected) allows you to specify how frequently an iRule is triggered when the rule matches. For example, if the value 5 is entered, the iRule triggers every 5th match.
  20. From the
    Action
    list, select the firewall action to perform on matching traffic.
  21. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  22. Click
    Finished
    .
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the Rules list.
Next, create a firewall policy to reference the rule list.

Create a policy

You can create an AFM Network Firewall policy that references one or more rule lists. Policies can be then be applied globally, to a virtual server, a route domain, or a self IP address.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click
    Create
    to create a new policy.
  3. Type a name and optional description for the firewall policy.
  4. Click
    Finished
    .
The Policies screen shows the new policy in the policy list.
Next, add the firewall rule list to the policy.

Activate a rule list in a firewall policy

You can add one or more rule lists to a firewall policy. After the rule list is added, you will be asked by the AFM system to commit the changes, activating the firewall policy.
You must apply the firewall policy to one of the AFM system contexts to have it apply to traffic processing.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens, or the policy expands on the screen.
  3. Click
    Add Rule List
    .
    Click the down arrow button to put the Rule List at either the top or bottom of the current list.
  4. Under
    Name
    , enter the name of an existing Rule List.
    To view the available Rule Lists, click the
    <<
    icon to the far right of the screen and then click
    Rule List
    .
  5. Click
    Commit Changes to System
    at the top of the page.
  6. Under
    ID
    , verify the new Rule List is in the proper order.
    You can drag and drop Rule Lists to reorder them.
The firewall rule list and policy are now activated.