Manual Chapter : Setting Timers and Preventing Port Misuse with Service Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Setting Timers and Preventing Port Misuse with Service Policies

Introduction to Service Policies

Service Policies are containers for Timer and Port Misuse policies. Timer and Port Misuse policies allow you to override how the BIG-IP system manages idle connections and which layer 7 application can use specific service ports.to process traffic. You should familiarize yourself with how each of these policy can be used.
Timer Policy
Specifies one or more protocols, service ports and the idle timeout period for connections that match these protocols and service ports. For example, idle TCP protocol 443 connections can be configured to timeout after 5 seconds of idle time.
Port Misuse Policy
Specifies one or more protocols, services ports and the type of layer 7 application service allowed to use these protocol and service ports. For example, TCP protocol, service port 80 must use the HTTP protocol. A connection attempt using HTTPS protocol can be denied, logged or both.
Service Policy
References Timer and Port Misuse policies. A Service Policy can be referenced by an AFM firewall rule and can also be applied directly to the global, route domain, virtual server and self IP contexts.

Create a timer policy

Create a timer policy to set custom idle timeouts for self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click
    Network
    Service Policies
    Timer Policies
    .
  2. Click
    Create
    .
    The New Timer Policy screen opens.
  3. Type a name for the timer policy.
  4. Type an optional description for the timer policy.
  5. To save the timer policy and add timer rules, click
    Create & Add Rule
    .
    The New Rule screen opens.
  6. Type a name for the rule.
  7. From the
    Protocol
    list, select a protocol.
  8. From the
    Idle Timeout
    list, select the timeout option for the selected protocol.
    • Select
      Specify
      to specify the timeout for this protocol, in seconds.
    • Select
      Immediate
      to immediately apply this timeout to the protocol.
    • Select
      Indefinite
      to specify that this protocol never times out.
    • Select
      Unspecified
      to specify no timeout for the protocol. When this is selected, the default timeout for the protocol is used.
  9. Click
    Finished
    to save the timer policy rule.
The timer policy is now configured to apply to traffic with this protocol type.
Select the timer policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.

Create a port misuse policy

Create a port misuse policy to restrict traffic on a port to a specific application. You configure a policy with specific port, protocol, and service rules to specify when port misuse occurs, and what action the policy takes.
  1. On the Main tab, click
    Network
    Service Policies
    Port Misuse Policies
    .
    The Port Misuse screen opens.
  2. Click
    Create
    .
    The New Port Misuse Policy screen opens.
  3. Type a name for the port misuse policy.
  4. Type an optional description for the port misuse policy.
  5. Select the
    Default Actions
    for the port misuse policy.
    • Select
      Drop on Service Mismatch
      to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select
      Log on Service Mismatch
      to set a policy default that logs service and port mismatches.
  6. In the
    Rule Name
    field, type a name for a policy rule.
  7. From the
    Port
    list, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select
    Other
    and specify a port number.
  8. From the
    IP Protocol
    list, select the IP protocol for the port matching rule.
    You can select
    TCP
    ,
    UDP
    , or
    SCTP
    .
  9. From the
    Service
    list, select the service.
    This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if
    Drop on Service Mismatch
    is applied to this rule.
    You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  10. From the
    Drop on Service Mismatch
    field, select the drop behavior.
    • Select
      Use Policy Default
      to use the default action for packet drops, when the service does not match the port.
    • Select
      Yes
      to drop packets when the service does not match the port.
    • Select
      No
      to allow packets when the service does not match the port.
  11. From the
    Log on Service Mismatch
    field, select the logging behavior.
    • Select
      Use Policy Default
      to use the default action for logging packet drops, when the service does not match the port.
    • Select
      Yes
      to log dropped packets when the service does not match the port.
    • Select
      No
      to not log packet drops when the service does not match the port.
  12. Click
    Finished
    to save the port misuse policy.
The port misuse policy is now configured to drop packets for specified ports, when the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.

Create a service policy

Create a service policy to apply custom timer policies and port misuse settings to self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click
    Network
    Service Policies
    .
  2. Click
    Create
    .
    The New Service Policy screen opens.
  3. Type a name for the service policy.
  4. Type an optional description for the service policy.
  5. To enable a timer policy in the service policy, in the Timer Policy area, click
    Enabled
    .
  6. From the list, select a timer policy to use in the service policy. The Timer Policy Rules area shows the timer policy rules for the selected timer policy.
  7. To enable a port misuse policy in the service policy, in the Port Misuse area, click
    Enabled
    .
  8. From the list, select a port misuse policy to use in the service policy. The Port Misuse Policy Rules area shows the port misuse policy rules for the selected port misuse policy.
  9. Click
    Finished
    to save the service policy and return to the service policies list screen.
The selected self IP now enforces or stages rules according to your selections.

Apply a service policy to a firewall rule

Apply a service policy to a firewall rule to apply custom timers and port misuse settings to traffic matched by the firewall rule.
  1. Click
    Security
    Network Firewall
    Policies
    .
  2. Under Name, click the firewall policy that contains the rule to be modified.
  3. In the Active Rules List area, click the firewall rule or rule list to be modified.
    With Inline Rules
    Click the rule by name, and in the Actions column, select the Service Policy.
    With a Rule List
    Click the rule list, and then click the rule by name. In the Actions column, select the Service Policy.
  4. Click
    Done Editing
    .
  5. Click
    Commit Changes to System
    .
When the rule is compiled and deployed, the timeouts and port misuse settings defined in the service policy are applied to the rule.

Apply a service policy to a virtual server

Apply a service policy to a virtual server to use custom timers and port misuse settings on the virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. In the Virtual Server List area, click the virtual server by name
  3. In the Security tab at the top of the page, click
    Policies
    .
  4. From the
    Service Policy
    list, select the service policy.
  5. Click
    Update
    .
The service policy is now associated with the virtual server, and the timers and port misuse settings are applied to sessions on the virtual server.

Apply a service policy to a route domain

Apply a service policy to a route domain to apply custom timers and port misuse settings to traffic that uses the route domain.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. In the Route Domain List area, click the route domain to modify.
  3. At the top of the page, click the
    Security
    tab.
  4. From the
    Service Policy
    list, select the service policy.
  5. Click
    Update
Traffic on the route domain that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.

Apply a service policy to a self IP

Apply a service policy to a self IP to apply custom timers and port misuse settings to traffic that uses the self IP address.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. In the Name column, click the self IP address that you want to modify.
    This displays the properties of the self IP address.
  3. Click the self IP to which you will apply the service policy.
  4. At the bottom of the page, select service policy from the
    Service Policy
    list.
  5. Click
    Update
Traffic on the self IP that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.