Manual Chapter :
Policies and Rules
Applies To:
Show Versions
BIG-IP AFM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Policies and Rules
About policies and rules
AFM Network Firewall uses industry standard firewall policies containing ordered lists of firewall rules or rule lists. Network Firewall policies control network access to your data center using the criteria specified in the associated rules or rule lists. Once created, BIG-IP AFM network firewall policies are applied to BIG-IP system access points, or contexts, such as a virtual server, Self IP address or the entire device at the global context.
Staging policies
You can also stage a firewall policies in any contexts. This allows you to view hit rate statistics and verify the potential impact a new policy may have on traffic processing.
Management port
Management port rules are configured directly on the management port context itself, as a result, policies can not be associated with the management port.
About AFM Network Firewall contexts
Because AFM Network Firewall policies can be applied to a variety of different contexts and policies may at times overlap, it is important to understand the order of processing for each context.
Order processed | Firewall context | Description |
|---|---|---|
1st | Global | Applies to all traffic being processed. |
2nd | Route Domain | Applies to a specific route domain. |
3rd | Virtual Server/Self IP | Applies to a virtual server or Self IP address. |
Independent | Management Port | Applied to the BIG-IP system management port. |
AFM Network Firewall processes policies in order, progressing from the global, to the
route domain, and then to the virtual server/Self IP context. Management port
rules are processed separately. You can enforce a
firewall policy on any context except the management port.
AFM Network Firewall rule actions
These listed actions are available in a firewall rule.
AFM Network Firewall actions are processed within a context. If traffic matches a firewall rule within
a given context, that action is applied to the traffic, and the traffic is processed again
at the next context.
Firewall action | Description |
|---|---|
Accept | Packets that match the rule are
accepted and traverse the system as if the firewall is not
present. |
Drop | Packets that match the rule are dropped. Dropping a
packet is a silent action with no notification to the source system.
This causes the connection to be retried until the retry threshold is
reached. |
Reject | Packets that match the rule are rejected. Rejecting is
a more graceful way to deny packets as it sends a destination
unreachable message to the source system. |
Accept Decisively | Packets that match the rule are accepted
decisively and traverse the system as if the firewall is not present. Packets
are not processed by rules in any further context after the accept
decisively action applies. For example, if
you want to allow all packets from Network A to reach every server behind your
firewall, you can specify a rule that accepts decisively at the global context, from
Network A to any port and address. Then, you can specify that all traffic is
blocked at a specific virtual server, using the virtual server context. Because
traffic from Network A is accepted decisively at the global context, that traffic
still traverses the virtual server. |
AFM Network Firewall rule UUIDs
To improve troubleshooting and auditing, firewall rules can be identified using a 32 character Universally Unique Identification Number (UUID). For example:
01727c12-8c34-69cc-1ec2-160b2d2014aa
When network packets match firewall rules with UUIDs, the resulting log messages will contain the matching rule's UUID. This provides much greater visibility into firewall events.The following table lists some of the UUID behaviors as they relate to the BIG-IP system.
To add UUIDs to log messages, you must also enable
the
Log UUID Field
option in the AFM logging profile.System Feature | Description |
|---|---|
High-availability (HA) | UUIDs are shared between devices in an HA configuration |
Configuration | UUIDs remain in the configuration. They can be restored with a UCS installation for example. |
Logging | UUID logging can be enabled, allowing you to match events to specific rules. |
Editing | UUIDs can not be edited. |
Resource utilization | UUID generation and logging slightly increase CPU utilization and disk space utilization. |
You can enable UUIDs per rule, or enable UUID generation to automatically occur when a new rule is created. To enable automatic UUID creation for all rules, navigate to
.
AFM Network Firewall rule options
These listed options are available in a firewall rule.
AFM Network Firewall rule options are used to designate very specific packet matching criteria and the action to take once a packet match is made.
Firewall rule option | Description |
|---|---|
Name | Specify the name of the rule. |
Auto Generate UUID |
Identify each firewall rule with a 36 character Universally Unique Identification Number (UUID). |
Description | Specify descriptive text for the rule. |
Order | Specify the order of the rule in the list. |
State | Specify the state of the rule. Options include:
|
Protocol | Specify the protocol to which the rule applies. Options include over 250 protocols. |
Source | Specify the packet source to which the rule applies. Options include:
|
Destination | Specify the packet destination to which the rule applies. This includes IPv4 / IPv6 addresses or geographical regions. |
iRule | Specify an iRule to execute when the rule is matched. |
Action | Specify a standard firewall rule action: Accept, Drop, Reject or Accept Decisively. |
Send to Virtual | Specify a virtual server to which matching traffic is sent. This option is only available for rules used in global or route domain contexts. |
Logging | Specify whether logging is enabled or disabled for the firewall
rule. |
Service Policy | Specify a service policy that applies when the rule is matched. |
Protocol Inspection Profile | Specify a protocol inspection profile that applies when the rule is matched. |
Classification Policy | Specify a classification policy that applies when the rule is matched. |
About rule lists
AFM Network Firewall uses rule
lists to collect multiple firewall rules. While you can create firewall policies containing multiple firewall rule entries, F5 recommends creating and associating rule lists with your firewall policies to simplify administration.
Create a rule list
You can create an AFM Network Firewall rule list, to which you can add multiple firewall
rules. The new rule list can be referenced when modifying or creating a firewall policy.
- On the Main tab, click .The Rule Lists screen opens.
- Click theCreatebutton to create a new rule list.
- In theNameandDescriptionfields, type the name and an optional description.
- ClickFinished.The empty firewall rule list is displayed.
The new rule list appears in the Rule Lists.
Next, add one or more firewall rules to the rule list that define firewall
actions.
Add rules to a rule list
You can add one or more firewall rules to a rule list. The rule list will be associated with a policy later.
- On the Main tab, click .The Rule Lists screen opens.
- From the list, click the name of a rule list you previously created.The Rule List properties screen opens.
- In the Rules area, clickAddto add a firewall rule to the list.
- In theNameandDescriptionfields, type the name and an optional description.
- From theOrderlist, set the order for the firewall rule.You can specify that the rule be first or last in the rule list, or before or after a specific rule.
- From theStatelist, select the rule state.
- SelectEnabledto apply the firewall rule to the given context and addresses.
- SelectDisabledto set the firewall rule to not apply at all.
- SelectScheduledto apply the firewall rule according to the selected schedule.
- From theProtocollist, select the protocol to which the firewall rule applies.
- SelectAnyto apply the firewall rule to any protocol.
- Select the protocol name to apply the rule to a single protocol.
ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with theglobalorroute domaincontext. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself. - From the SourceAddress/Regionlist, selectSpecify.
- ClickAddress Listand select the appropriate address list object
- ClickAdd.
- From the SourcePortlist, selectSpecify.
- ClickPort Listand select the appropriate port list object.
- From the DestinationAddress/Regionlist, select specify.
- ClickAddress Listand select the appropriate address list object.
- ClickAdd.
- From the DestinationPortlist, selectSpecify.
- ClickPort Listand select the appropriate port list object.
- ClickAdd.
- Optional. Select an iRule to trigger when the firewall rule matches.iRule sampling (available when an iRule is selected) allows you to specify how frequently an iRule is triggered when the rule matches. For example, if the value 5 is entered, the iRule triggers every 5th match.
- From theActionlist, select the firewall action to perform on matching traffic.
- From theLogginglist, enable or disable logging for the firewall rule.A logging profile must be enabled to capture logging info for the firewall rule.
- ClickFinished.The list screen and the new item are displayed.
A new firewall rule is created, and appears in the Rules list.
Next, create a firewall policy to reference the rule list.
Create a policy
You can create an AFM Network Firewall policy that references one or
more rule lists. Policies can be then be applied globally, to a virtual server, a route domain, or a self IP address.
- On the Main tab, click .The Policies screen opens.
- ClickCreateto create a new policy.
- Type a name and optional description for the firewall policy.
- ClickFinished.
The Policies screen shows the new policy in the policy list.
Next, add the firewall rule list to the policy.
Activate a rule
list in a firewall policy
You can add one or more rule lists to a firewall policy. After the rule list is added, you will be asked by the AFM system to commit the changes, activating the firewall policy.
You must apply the firewall policy to one of the AFM system contexts to have it apply to traffic processing.
- On the Main tab, click .The Policies screen opens.
- Click the name of a firewall policy to edit that policy.The Firewall Policy screen opens, or the policy expands on the screen.
- ClickAdd Rule List.Click the down arrow button to put the Rule List at either the top or bottom of the current list.
- UnderName, enter the name of an existing Rule List.To view the available Rule Lists, click the<<icon to the far right of the screen and then clickRule List.
- ClickCommit Changes to Systemat the top of the page.
- UnderID, verify the new Rule List is in the proper order.You can drag and drop Rule Lists to reorder them.
The firewall rule list and policy are now activated.
