F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP AFM: Network Firewall Policies and Implementations
  3. Protocol Security
  4. About protocol anomaly inspection
  5. Assign a protocol inspection profile to a firewall rule
Manual Chapter : Assign a protocol inspection profile to a firewall rule

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Assign a protocol inspection profile to a firewall rule

This task requires an existing network firewall policy.
Assign protocol inspection to a firewall rule to check protocol inspection items on traffic that matches the rule.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens, or the policy expands on the screen.
  3. Click
    Add Rule
     to add a firewall rule to the policy.
    A blank rule appears in the policy.
  4. In the
    Name
     column, type the name and an optional description in the fields.
  5. From the
    State
     list, select the rule state.
    • Select
      Enabled
       to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
       to set the firewall rule to not apply at all.
    • Select
      Scheduled
       to apply the firewall rule according to the selected schedule.
  6. From the
    Protocol
     list, select the protocol to which the firewall rule applies.
    • Select
      Any
       to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
     or
    route domain
     context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  7. In the
    Source
     field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click
    Add
    .
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  8. In the
    Destination
     field, begin typing to specify a destination address.
    As you type, options will appear that match your input. Select the destination option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled
    add new destination
    .
    A destination address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Address list
  9. From the
    Action
     list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Accept
    Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop
    Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject
    Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively
    Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  10. Optionally, to apply an iRule to traffic matched by this rule, from the
    iRule
     list, select an iRule.
  11. Optionally, to send traffic matched by this rule to a specific virtual server, from the
    Send to Virtual
     list, select the virtual server.
    Traffic that is sent to a virtual server is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  12. To apply custom timeouts or port misuse profiles to flows that match this rule, from the
    Service Policy
     field, specify a service policy.
  13. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  14. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  15. Click
    Done Editing
    .
  16. Click
    Commit Changes to System
    .
    The policy with the updated rule is displayed.
A firewall rule is created with a Protocol Inspection Profile attached.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information