Manual Chapter :
Applying AFM Network Firewall Policies
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Applying AFM Network Firewall Policies
Apply an AFM firewall policy globally
You can assign a firewall policy globally, this affects all traffic processed by the AFM system.
- On the Main tab, click.The Active Rules screen opens.
- UnderFilter Active Rules List, click theGloballink.TheGlobal Firewall Rulesscreen opens.
- To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from theEnforcementlist, selectEnabledand then select the firewall policy to enforce from thePolicylist.
- To stage rules from a firewall policy in the selected context, in the Network Firewall area: from theStaginglist, selectEnabledand then select the firewall policy to stage from thePolicylist.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those
rules are logged, but not enforced.
Apply an AFM firewall policy to a virtual server
Ensure that you have created a virtual server.
You can assign a firewall policy to a specific virtual server, also known as a protected object, enforcing the policy only on traffic processed by that protected object.
- On the Main tab, click
- Click the name of the virtual server to assign the firewall policy.
- On the menu bar at the top of the page, click
- To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from theEnforcementlist, selectEnabled, then select the firewall policy to enforce from thePolicylist.
- To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from theStaginglist, selectEnabled, then select the firewall policy to stage from thePolicylist.
- ClickUpdateto save the changes.
The policy rules you selected are enforced on the virtual server. If you chose to stage policy
rules, the results of those rules are logged, but not enforced.
Apply a firewall policy to a Self IP
Ensure that you have created a self IP address.
You can assign a firewall policy to a self IP, enforcing the policy on traffic passing through that self IP.
traffic.
- On the Main tab, click.
- Click on the self IP address to which you want to add a network firewall policy.
- Click theSecuritytab.
- To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from theEnforcementlist, selectEnabled, and then from thePolicylist, select the firewall policy to enforce.
- To stage rules from a firewall policy on the self IP: In the Network Firewall area, from theStaginglist, selectEnabled, and then from thePolicylist, select the firewall policy to stage.
- ClickUpdateto save the changes to the self IP.
The policy rules you selected are enforced at the self IP level. If you chose to stage policy rules, the results of those
rules are logged, but not enforced.
Apply a policy to a route domain
Ensure that you have created a route domain.
You can assign a firewall policy to a route domain, enforcing the policy only on traffic in that route domain.
- On the Main tab, click.The Route Domain List screen opens.
- Click the name of the route domain to show the route domain configuration.
- Click the Security tab.
- To enforce rules from a firewall policy on the route domain: in the Network Firewall area: from theEnforcementlist, selectEnabledand then select the firewall policy to enforce from thePolicylist.
- To stage rules from a firewall policy on the route domain: in the Network Firewall area, from theStaginglist, selectEnabledand then select the firewall policy to stage from thePolicylist.
- ClickUpdateto save the changes to the route domain.
The policy rules you selected are enforced at the route domain level. If you chose to stage policy rules, the results of those
rules are logged, but not enforced.
Apply an AFM firewall policy to the management port
Create a network firewall management port rule to manage access from an IP or web network
address to the BIG-IP management port. You cannot add
rules created with this task to a rule list at a later time. You must create rules for a rule
list from within the rule list.
You can only add management port
rules as inline rules. For all other contexts, you must add rules to policies.
- On the Main tab, click.The Active Rules screen opens.
- From theContextlist, selectManagement Port.
- In the Rules area, clickAddto add a firewall rule to the list.
- In theNameandDescriptionfields, type the name and an optional description.
- From theOrderlist, select the order in which the rule is processed
- From theStatelist, select the rule state.
- SelectEnabledto apply the firewall rule to the given context and addresses.
- SelectDisabledto set the firewall rule to not apply at all.
- SelectScheduledto apply the firewall rule according to the selected schedule.
- From theProtocollist, select the protocol to which the firewall rule applies.
- SelectAnyto apply the firewall rule to any protocol.
- Select the protocol name to apply the rule to a single protocol.
ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with theglobalorroute domaincontext. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself. - From the SourceAddress/Regionlist, selectSpecify.
- ClickAddress Listand select the appropriate address list object
- ClickAdd.
- From the SourcePortlist, selectSpecify.
- ClickPort Listand select the appropriate port list object.
- ClickAdd.
- From the DestinationAddress/Regionlist, select specify.
- ClickAddress Listand select the appropriate address list object.
- ClickAdd.
- From the DestinationPortlist, selectSpecify.
- ClickPort Listand select the appropriate port list object.
- ClickAdd.
- From theActionlist, select the firewall action to perform on matching traffic.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickFinished
The new firewall policy is being enforced on the BIG-IP AFM system management port.