Manual Chapter : Applying AFM Network Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Applying AFM Network Firewall Policies

Apply an AFM firewall policy globally

You can assign a firewall policy globally, this affects all traffic processed by the AFM system.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. Under
    Filter Active Rules List
    , click the
    Global
    link.
    The
    Global Firewall Rules
    screen opens.
  3. To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Enforcement
    list, select
    Enabled
    and then select the firewall policy to enforce from the
    Policy
    list.
  4. To stage rules from a firewall policy in the selected context, in the Network Firewall area: from the
    Staging
    list, select
    Enabled
    and then select the firewall policy to stage from the
    Policy
    list.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Apply an AFM firewall policy to a virtual server

Ensure that you have created a virtual server.
You can assign a firewall policy to a specific virtual server, also known as a protected object, enforcing the policy only on traffic processed by that protected object.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
  2. Click the name of the virtual server to assign the firewall policy.
  3. On the menu bar at the top of the page, click
    Security
    Policies
  4. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , then select the firewall policy to enforce from the
    Policy
    list.
  5. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , then select the firewall policy to stage from the
    Policy
    list.
  6. Click
    Update
    to save the changes.
The policy rules you selected are enforced on the virtual server. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Apply a firewall policy to a Self IP

Ensure that you have created a self IP address.
You can assign a firewall policy to a self IP, enforcing the policy on traffic passing through that self IP. traffic.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click on the self IP address to which you want to add a network firewall policy.
  3. Click the
    Security
    tab.
  4. To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to enforce.
  5. To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to stage.
  6. Click
    Update
    to save the changes to the self IP.
The policy rules you selected are enforced at the self IP level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Apply a policy to a route domain

Ensure that you have created a route domain.
You can assign a firewall policy to a route domain, enforcing the policy only on traffic in that route domain.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. Click the name of the route domain to show the route domain configuration.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the route domain: in the Network Firewall area: from the
    Enforcement
    list, select
    Enabled
    and then select the firewall policy to enforce from the
    Policy
    list.
  5. To stage rules from a firewall policy on the route domain: in the Network Firewall area, from the
    Staging
    list, select
    Enabled
    and then select the firewall policy to stage from the
    Policy
    list.
  6. Click
    Update
    to save the changes to the route domain.
The policy rules you selected are enforced at the route domain level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Apply an AFM firewall policy to the management port

Create a network firewall management port rule to manage access from an IP or web network address to the BIG-IP management port. You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list.
You can only add management port rules as inline rules. For all other contexts, you must add rules to policies.
  1. On the Main tab, click
    Security
    Network Firewall
    Active Rules
    .
    The Active Rules screen opens.
  2. From the
    Context
    list, select
    Management Port
    .
  3. In the Rules area, click
    Add
    to add a firewall rule to the list.
  4. In the
    Name
    and
    Description
    fields, type the name and an optional description.
  5. From the
    Order
    list, select the order in which the rule is processed
  6. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  7. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. From the Source
    Address/Region
    list, select
    Specify
    .
  9. Click
    Address List
    and select the appropriate address list object
  10. Click
    Add
    .
  11. From the Source
    Port
    list, select
    Specify
    .
  12. Click
    Port List
    and select the appropriate port list object.
  13. Click
    Add
    .
  14. From the Destination
    Address/Region
    list, select specify.
  15. Click
    Address List
    and select the appropriate address list object.
  16. Click
    Add
    .
  17. From the Destination
    Port
    list, select
    Specify
    .
  18. Click
    Port List
    and select the appropriate port list object.
  19. Click
    Add
    .
  20. From the
    Action
    list, select the firewall action to perform on matching traffic.
  21. From the
    Logging
    list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  22. Click
    Finished
The new firewall policy is being enforced on the BIG-IP AFM system management port.