Manual Chapter :
Setting Timers and Preventing Port Misuse with Service Policies
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Setting Timers and Preventing Port Misuse with Service Policies
Introduction to Service Policies
Service Policies are containers for Timer and Port Misuse policies. Timer and Port Misuse policies allow you to override how the BIG-IP system manages idle connections and which layer 7 application can use specific service ports.to process traffic. You should familiarize yourself with how each of these policy can be used.
- Timer Policy
- Specifies one or more protocols, service ports and the idle timeout period for connections that match these protocols and service ports. For example, idle TCP protocol 443 connections can be configured to timeout after 5 seconds of idle time.
- Port Misuse Policy
- Specifies one or more protocols, services ports and the type of layer 7 application service allowed to use these protocol and service ports. For example, TCP protocol, service port 80 must use the HTTP protocol. A connection attempt using HTTPS protocol can be denied, logged or both.
- Service Policy
- References Timer and Port Misuse policies. A Service Policy can be referenced by an AFM firewall rule and can also be applied directly to the global, route domain, virtual server and self IP contexts.
Create a timer policy
Create a timer policy to set custom idle timeouts for self IPs, route domains,
firewall rules, or firewall rule lists.
- Click.
- ClickCreate.The New Timer Policy screen opens.
- Type a name for the timer policy.
- Type an optional description for the timer policy.
- To save the timer policy and add timer rules, clickCreate & Add Rule.The New Rule screen opens.
- Type a name for the rule.
- From theProtocollist, select a protocol.
- From theIdle Timeoutlist, select the timeout option for the selected protocol.
- SelectSpecifyto specify the timeout for this protocol, in seconds.
- SelectImmediateto immediately apply this timeout to the protocol.
- SelectIndefiniteto specify that this protocol never times out.
- SelectUnspecifiedto specify no timeout for the protocol. When this is selected, the default timeout for the protocol is used.
- ClickFinishedto save the timer policy rule.
The timer policy is now configured to apply to traffic with this protocol type.
Select the timer policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.
Create a port misuse policy
Create a port misuse policy to restrict traffic on a port to a specific
application. You configure a policy with specific port, protocol, and service rules to
specify when port misuse occurs, and what action the policy takes.
- On the Main tab, click.The Port Misuse screen opens.
- ClickCreate.The New Port Misuse Policy screen opens.
- Type a name for the port misuse policy.
- Type an optional description for the port misuse policy.
- Select theDefault Actionsfor the port misuse policy.
- SelectDrop on Service Mismatchto set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
- SelectLog on Service Mismatchto set a policy default that logs service and port mismatches.
- In theRule Namefield, type a name for a policy rule.
- From thePortlist, select a port for the port matching rule.You can select from a list of commonly used ports, or selectOtherand specify a port number.
- From theIP Protocollist, select the IP protocol for the port matching rule.You can selectTCP,UDP, orSCTP.
- From theServicelist, select the service.This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, ifDrop on Service Mismatchis applied to this rule.You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
- From theDrop on Service Mismatchfield, select the drop behavior.
- SelectUse Policy Defaultto use the default action for packet drops, when the service does not match the port.
- SelectYesto drop packets when the service does not match the port.
- SelectNoto allow packets when the service does not match the port.
- From theLog on Service Mismatchfield, select the logging behavior.
- SelectUse Policy Defaultto use the default action for logging packet drops, when the service does not match the port.
- SelectYesto log dropped packets when the service does not match the port.
- SelectNoto not log packet drops when the service does not match the port.
- ClickFinishedto save the port misuse policy.
The port misuse policy is now configured to drop packets for specified ports, when
the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to
a self IP, route domain, firewall rule, or firewall rule list.
Create a service policy
Create a service policy to apply custom timer policies and port misuse settings to
self IPs, route domains, firewall rules, or firewall rule lists.
- Click.
- ClickCreate.The New Service Policy screen opens.
- Type a name for the service policy.
- Type an optional description for the service policy.
- To enable a timer policy in the service policy, in the Timer Policy area, clickEnabled.
- From the list, select a timer policy to use in the service policy. The Timer Policy Rules area shows the timer policy rules for the selected timer policy.
- To enable a port misuse policy in the service policy, in the Port Misuse area, clickEnabled.
- From the list, select a port misuse policy to use in the service policy. The Port Misuse Policy Rules area shows the port misuse policy rules for the selected port misuse policy.
- ClickFinishedto save the service policy and return to the service policies list screen.
The selected self IP now enforces or stages rules according to your selections.
Apply a service
policy to a firewall rule
Apply a service policy to a firewall rule to apply
custom timers and port misuse settings to traffic matched by the firewall
rule.
- Click.
- Under Name, click the firewall policy that contains the rule to be modified.
- In the Active Rules List area, click the firewall rule or rule list to be modified.With Inline RulesClick the rule by name, and in the Actions column, select the Service Policy.With a Rule ListClick the rule list, and then click the rule by name. In the Actions column, select the Service Policy.
- ClickDone Editing.
- ClickCommit Changes to System.
When the rule is compiled and deployed, the timeouts and port misuse settings defined
in the service policy are applied to the rule.
Apply a service
policy to a virtual server
Apply a service policy to a virtual server to use custom timers and port misuse settings on the
virtual server.
- On the Main tab, click.The Virtual Server List screen opens.
- In the Virtual Server List area, click the virtual server by name
- In the Security tab at the top of the page, clickPolicies.
- From theService Policylist, select the service policy.
- ClickUpdate.
The
service policy is now associated with the virtual server, and the timers and port misuse settings
are applied to sessions on the virtual server.
Apply a service
policy to a route domain
Apply a service policy to a route domain to apply
custom timers and port misuse settings to traffic that uses the route domain.
- On the Main tab, click.The Route Domain List screen opens.
- In the Route Domain List area, click the route domain to modify.
- At the top of the page, click theSecuritytab.
- From theService Policylist, select the service policy.
- ClickUpdate
Traffic on the route domain that matches the rules defined in the service policy now
uses the timeouts and port misuse settings defined in the timer and port misuse
policies.
Apply a service
policy to a self IP
Apply a service policy to a self IP to apply
custom timers and port misuse settings to traffic that uses the self IP
address.
- On the Main tab, click.
- In the Name column, click the self IP address that you want to modify.This displays the properties of the self IP address.
- Click the self IP to which you will apply the service policy.
- At the bottom of the page, select service policy from theService Policylist.
- ClickUpdate
Traffic on the self IP that matches the rules defined in the service policy now uses
the timeouts and port misuse settings defined in the timer and port misuse
policies.