Manual Chapter : Monitoring ACL rules to improve Network Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0, 6.1.0
Manual Chapter

Monitoring ACL rules to improve Network Security

Viewing ACL rule matching data

Your access control list (ACL) rules allow you to manage packet access to your network, based on a defined rule list.
Enforced ACL rules can be configured within a network firewall policy context to enforce network firewall actions based on these defined rules.
Staged ACL rules apply all of the specified firewall rules to the policy context, but do not enforce policy action. The staged policy results in information regarding how an ACL policy may enforce firewall rules.
You can view the behavior of your staged and enforced ACL rules to identify if your policy's configuration meet your firewall needs.
The following data view is only available for manged BIIG-IP devices v13.1.0.8 or later. To view Network Firewall data for BIG-IP devices v13.0 or earlier, go to
Monitoring
REPORTS
Security
Network Security
Reporting
.

Isolate performance of enforced ACL configuration

Before you can analyze BIG-IP device performance data:
  • There must be a BIG-IQ data collection device configured for the BIG-IQ system that manages your BIG-IP devices.
  • You must have discovered the BIG-IP devices that you want to analyze, and statistics collection must be enabled for those devices.
The AFM ACL Enforced screen displays data for traffic that matches your enforced access control list (ACL) rules. You can use this data to identify issues with your firewall protection's rules/policies/context and further isolate which ACL configuration impact your network firewall performance.
For information about the controls on this screen, see
Statistics Monitoring Overview
.
  1. At the top of the screen, click
    Monitoring
    .
  2. On the left, click
    DASHBOARDS
    AFM
    ACL Enforced
    .
    The chart pane displays the average number of ACL matches per second for all ACL policies, over the selected time period.
  3. To filter displayed data, expand the dimensions, located on the right side of the screen, that list network packet data, such as Countries, Client IPs, or Destination Ports.
  4. Identify if there are objects in the expanded dimension list that have an unexpected number of rule matches, and select these objects in the list.
    You can select more than one object from the dimensions. This will automatically filter the data on the screen to reflect your selection.
  5. Expand the Actions dimension to identify the firewall actions that correspond with the previously selected dimension object(s), and select one or more actions to filter by your selection.
  6. Expand the ACL Policy Names to isolate the policy that is responsible for issues with your firewall protection.
    If you have more than one ACL policy with unexpected number of matches, you can select one to further isolate its associate rules and context in the associated dimensions.
Once you have isolated an enforced ACL policy, and its associated rules and contexts, you can adjust the ACL configuration to improve firewall protection.

Isolate performance of staged ACL configuration

Before you can analyze BIG-IP device performance data:
  • There must be a BIG-IQ data collection device configured for the BIG-IQ system that manages your BIG-IP devices.
  • You must have discovered the BIG-IP devices that you want to analyze, and statistics collection must be enabled for those devices.
The AFM ACL Staged screen displays data for traffic that matches your access control list (ACL) rules that are currently staged and are not enforcing firewall protection. You can use this data to identify effective firewall protection under a staged policy/rule/context and further isolate which ACL configuration can enforce effective network firewall performance.
For information about the controls on this screen, see
Statistics Monitoring Overview
.
  1. At the top of the screen, click
    Monitoring
    .
  2. On the left, click
    DASHBOARDS
    AFM
    ACL Staged
    .
    The chart pane displays the average number of ACL matches per second for all ACL policies, over the selected time period.
  3. To filter displayed data, expand the dimensions, located on the right side of the screen, that list network packet data, such as Countries, Client IPs, or Destination Ports.
  4. Identify if there are objects in the expanded dimension list that have an unexpected number of rule matches, and select these objects in the list.
    You can select more than one object from the dimensions. This will automatically filter the data on the screen to reflect your selection.
  5. Expand the Actions dimension to identify the firewall actions that correspond with the previously selected dimension object(s), and select one or more actions to filter by your selection.
  6. Expand ACL Policy Names or ACL Rules dimensions to isolate the staged ACL policy .
Once you have isolated a staged ACL policy or rule with effective firewall protection, you can configure the policy or rule to enforce network firewall protection.

Adding an enforced firewall policy

You can view and configure firewall policies to enforce or refine actions (accept, accept decisively, drop, reject) using the Enforced settings. You are restricted to a single, enforced firewall policy on any specific firewall context.
Policies can be enforced in one firewall context and staged in another.
  1. Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. Click the name of the context to edit. The context properties are displayed.
  3. Click
    Add Enforced Firewall Policy
    in the Enforced Firewall Policy row and in the resulting popup, click the policy to use and click
    Add
    .
    Adding an enforced policy results in the removal of all existing rules.
  4. Click the name of the enforced policy to display the policy properties.
  5. Click
    Create Rule
    to add a rule by editing the fields in the template.
    You can also add rules by right-clicking in the last rule in the table and selecting
    Add rule before
    or
    Add rule after
    . If you right-click after the bottom row in the Rules table, you can select the option
    Add rule
    . You can then reorder rules by dragging and dropping them until they are in the correct order for execution. You can also reorder rules by right-clicking in the row and selecting among the ordering options.
  6. Add a rule list by clicking
    Add Rule List
    .
  7. In the popup screen that opens, select the name of the rule list that you want to add and then click
    Add
    .
  8. When finished, save your work.

Editing rule lists

You can edit the content of rule lists, including the order of rules in rule lists.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Rule Lists
    .
  2. Click the specific rule list you want to edit in the right pane.
  3. Click
    Properties
    .
    Name
    Informational, read-only field set when creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Informational, read-only field set when creating or cloning the rule list.
  4. Click
    Rules
    , and click the name of the rule you want to edit.
  5. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    Add Rule before
    or
    Add Rule after
    .
  6. Complete fields as appropriate.
    To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting
    Copy Rule
    . Then, navigate to the new location for the rule, right-click, and select
    Paste Before
    or
    Paste After
    as appropriate. After the paste, delete the rule that you copied.
  7. Click
    Save
    to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.