Manual Chapter : Managing Firewall Contexts

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.1
Manual Chapter

Managing Firewall Contexts

About managing firewall contexts

In BIG-IQ® Centralized Management, a firewall context is a BIG-IP® network object to which a firewall policy can be attached. In the BIG-IQ system, these network objects are called Global (global), Route Domain (rd), Virtual Server (vip), Self IP (sip), or Management (mgmt).
Firewall contexts provide policy-based access control to and from address and port pairs, inside and outside the network. Firewall properties include the firewall name, an (optional) description, its partition, its type, and its parent device on the partition in which it resides. Note that an
administrative partition
is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations,
/Common
, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions on the BIG-IP device. Each partition corresponds to a folder (with the same name) to hold its configuration objects.
You can view and configure enforced policies or rules whose actions (accept, accept decisively, drop, reject) are in force. You are restricted to a single, enforced policy on any specific firewall.
Firewall policies can be enforced in one firewall context and staged in another.

About BIG-IP system firewall contexts

A
firewall context
is the category of object to which a firewall policy or rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management.
It is possible to have multiple layers of firewalls on a single BIG-IP® device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, policies progress from Global, to Route Domain, and then to either Virtual Server or Self IP.
If a packet matches a firewall rule within a given context, that action is applied to the packet, and the packet then moves to the next context for further processing. If the packet is accepted, it travels on to the next context. If the packet is accepted decisively, it goes directly to its destination. If the packet is dropped or rejected, all processing stops for that packet; it travels no further.
Rules for the management interface are processed separately and not as part of the context hierarchy.

About global firewalls

A
global firewall
is an IP packet filter that resides on a global firewall on a BIG-IP® device. Except for packets traveling to the management firewall, it is the first firewall that an IP packet encounters. Any packet reaching a BIG-IP device must pass through the global firewall first.
When you create firewall policies, you can select one of several contexts, such as Global.

About route domain firewalls

A
route domain firewall
is an IP packet filter that resides on a route domain firewall on a BIG-IP® device.
A
route domain
is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, pool members, and firewalls.
When a route domain firewall is configured to apply to one route domain, it means that any IP packet that passes through the route domain is assessed and possibly filtered out by the configured firewall.
When you create firewall policies, you can select one of several contexts, such as route domain.

About virtual server firewalls

A
virtual server firewall
is an IP packet filter configured on the virtual server and, therefore, designated for client-side traffic. Any IP packet that passes through the virtual server IP address is assessed and possibly filtered out by this firewall.
When you create firewall policies, you can select one of several contexts, including virtual server.

About self IP firewalls

A
self IP firewall
is an IP packet filter configured on the self IP address, a firewall designated for server-side traffic. Any IP packet that passes through the self IP is assessed and possibly filtered out by this firewall.
A self IP address is an IP address on a BIG-IP® system that is associated with a VLAN and used to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space; that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address.
A static self IP address is an IP address that is assigned to the system and does not migrate between BIG-IP systems. By default, the self IP addresses created with the Configuration utility are static self IP addresses. One self IP address must be defined for each VLAN.
When you create firewall policies, you can select one of several contexts, including self IP.

About management IP firewalls

A
management IP firewall
is an IP packet filter configured on the management IP address and, therefore, designated to examine management traffic. Any IP packet that passes through the management IP address is assessed and possibly filtered out by this firewall.
The network software compares IP packets to the criteria specified in management firewall rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match a rule, then the software compares the packet against the next rule. If a packet does not match any rule, the packet is accepted.
Management IP firewalls collect firewall rules that apply to the management port on the BIG-IP® device. Management port firewalls are outside the firewall context hierarchy and management port rules are checked independently of other rules.
Policies and rule lists are not permitted on management IP firewalls. In addition, the management IP firewall context does not support the use of iRules® or geolocation in rules.

About firewall policy types

In Network Security, you can add the following firewall policy types:
Enforced
An enforced firewall policy modifies network traffic based on a set of firewall rules.
Staged
A staged firewall policy allows you to evaluate the effect a policy has on traffic without actually modifying the traffic based on the firewall rules.

Firewall properties

The properties of a firewall context are shown when you select a context type from the list on the left, such as Global or Virtual Server. Some fields are for information purposes only and cannot be edited. Not all columns are shown for each context.
Property
Description
Name
Name as shown in the system interface:
global
for the global firewall;
management-ip
for the management IP firewall;
0
for route domain; the IP address for self-ip; and the firewall name for a virtual server.
Partition
Usually,
Common
. An
administrative partition
is a part of the BIG-IP® configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations,
Common
, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions on the BIG-IP device. Each partition corresponds to a folder (with the same name, for instance,
/Common
) to hold its configuration objects.
Firewall Type
One of the following: global (global); route-domain (rd); virtual server (vip); self-ip (self-ip); or management-ip (mgmt).
IP Address
For Virtual server (VIP), self IP, and Management firewall types only; this is an informational, read-only field displaying the IP address retrieved (if available) during DMA.
Description
Optional description for the firewall.
Route Domain ID
Used for Route Domain firewall types only; displays a number that identifies the route domain.
Device
Name of the BIG-IP® device where the firewall resides.
Enforced Policy
Name of the enforced policy assigned to the firewall context. An enforced firewall policy modifies network traffic based on a set of firewall rules. This property is not used for the Management firewall type.
Staged Policy
Name of the staged policy assigned to the firewall context. A staged firewall policy allows you to evaluate the effect a policy has on traffic without actually modifying the traffic based on the firewall rules. This property is not used for the Management firewall type.
Service Policy
Name of the service policy assigned to the firewall context. This property is not used for the Management firewall type.
NAT Policy
Name of the NAT policy assigned to the firewall context. This property is not used for the Management or self IP firewall type.

Adding an enforced firewall policy

You can view and configure firewall policies to force or refine actions (accept, accept decisively, drop, reject) using the Enforced settings. You are restricted to a single, enforced firewall policy on any specific firewall context.
Policies can be enforced in one firewall context and staged in another.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. Click the name of the context to edit. The context properties are displayed.
  3. Click
    Add Enforced Firewall Policy
    in the Enforced Firewall Policy row and in the resulting popup, click the policy to use and click
    Add
    .
    Adding an enforced policy results in the removal of all existing rules.
  4. Click the name of the enforced policy to display the policy properties.
  5. Click
    Create Rule
    to add a rule by editing the fields in the template.
    You can also add rules by right-clicking in the last rule in the table and selecting
    Add rule before
    or
    Add rule after
    . If you right-click after the bottom row in the Rules table, you can select the option
    Add rule
    . You can then reorder rules by dragging and dropping them until they are in the correct order for execution. You can also reorder rules by right-clicking in the row and selecting among the ordering options.
  6. Add a rule list by clicking
    Add Rule List
    .
  7. In the popup screen that opens, select the name of the rule list that you want to add and then click
    Add
    .
  8. When finished, save your work.

Adding a staged firewall policy

You can stage firewall policies using the Staged settings. Actions (accept, accept decisively, drop, reject) have no effect on network traffic. Rather, they are logged. This gives you the ability to stage a firewall policy first and examine the logs to determine how the firewall policy has affected traffic. Then, you can determine the timing for turning the firewall policy from staged to enforced.
Rule and rule lists are not allowed on staged firewall policies.
A firewall policy can be staged in one context and enforced in another.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. Click the name of the context to edit. The context properties are displayed.
  3. Click
    Add Staged Firewall Policy
    in the Staged Firewall Policy row and in the resulting popup, click the policy to use and click
    Add
    .
    Adding an enforced policy results in the removal of all existing rules and rule lists.
  4. Click
    Save
    to save changes.
    To clear a lock without saving changes, click the
    Unlock
    link.
  5. When finished, save your work.

Configure Network Security event logging from the firewall context

You enable Network Security event logging using the virtual servers displayed in the context list. When enabled, you can view these events using the
Monitoring
EVENTS
Network Security
screens.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
    The Contexts screen opens.
  2. To enable logging of Network Security events, click the check box next to the virtual server to configure, and click
    Configure Logging
    .
    To disable logging of Network Security events, click the check box next to the virtual server to configure, and click
    Disable Logging
    .
The Network Security Logging Configuration dialog box opens so that you can begin the configuration process.
Review the information about the configuration process before continuing. This is described in the
Monitoring Network Security events
topics in
F5 BIG-IQ Centralized Management: Monitoring and Reporting
on
support.f5.com
.

Deploy firewall contexts

If you want to do a quicker deployment by only deploying thefirewall context portion of a configuration, you can do a partial deployment of the firewall context, instead of deploying the entire configuration.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
    The Contexts screen opens.
  2. Click the check box next to the context you want included in the partial deployment.
  3. Click
    Deploy
    .
The system displays the selected context, with options for partial deployment selected.
Continue the partial deployment process.