Manual Chapter :
Monitoring ACL rules to improve Network Security
Applies To:
Show Versions
Monitoring ACL rules to improve Network Security
Viewing ACL rule matching data
Your access control list (ACL) rules allow you to manage packet access
to your network, based on a defined rule list.
Enforced ACL rules can be configured within a network firewall policy
context to enforce network firewall actions based on these defined rules.
Staged ACL rules apply all of the specified firewall rules to the
policy context, but do not enforce policy action. The staged policy results in information
regarding how an ACL policy may enforce firewall rules.
You can view the behavior of your staged and enforced ACL rules to
identify if your policy's configuration meet your firewall needs.
The following data view is only available for manged BIIG-IP
devices v13.1.0.8 or later. You must have AVR configured on your device to display data.
To view Network Firewall data for BIG-IP devices v13.0 or earlier, go to .
Isolate performance of enforced ACL configuration
Before you can analyze BIG-IP device performance
data:
- There must be a BIG-IQ data collection device configured for the BIG-IQ system that manages your BIG-IP devices.
- You must have discovered the BIG-IP devices that you want to analyze, and statistics collection must be enabled for those devices.
- You must have AVR provisioned on your BIG-IP device.
The AFM ACL Enforced screen displays data for
traffic that matches your enforced access control list (ACL) rules. You can use this data
to identify issues with your firewall protection's rules/policies/context and further
isolate which ACL configuration impact your network firewall performance.
For information about the controls on this screen, see
Statistics Monitoring Overview
.- At the top of the screen, clickMonitoring.
- On the left, click .The chart pane displays the average number of ACL matches per second for all ACL policies, over the selected time period.
- To filter displayed data, expand the dimensions, located on the right side of the screen, that list network packet data, such as Countries, Client IPs, or Destination Ports.
- Identify if there are objects in the expanded dimension list that have an unexpected number of rule matches, and select these objects in the list.You can select more than one object from the dimensions. This will automatically filter the data on the screen to reflect your selection.
- Expand the Actions dimension to identify the firewall actions that correspond with the previously selected dimension object(s), and select one or more actions to filter by your selection.
- Expand the ACL Policy Names to isolate the policy that is responsible for issues with your firewall protection.If you have more than one ACL policy with unexpected number of matches, you can select one to further isolate its associate rules and context in the associated dimensions.
Once you have isolated an enforced ACL policy,
and its associated rules and contexts, you can adjust the ACL configuration to improve
firewall protection.
Isolate performance of staged ACL configuration
Before you can analyze BIG-IP device
performance data:
- There must be a BIG-IQ data collection device configured for the BIG-IQ system that manages your BIG-IP devices.
- You must have discovered the BIG-IP devices that you want to analyze, and statistics collection must be enabled for those devices.
- You must have AVR configured on your discovered BIG-IP devices.
The AFM ACL Staged screen displays data
for traffic that matches your access control list (ACL) rules that are currently
staged and are not enforcing firewall protection. You can use this data to
identify effective firewall protection under a staged policy/rule/context and
further isolate which ACL configuration can enforce effective network firewall
performance.
For information about the controls on
this screen, see
Statistics Monitoring
Overview
. - At the top of the screen, clickMonitoring.
- On the left, click .The chart pane displays the average number of ACL matches per second for all ACL policies, over the selected time period.
- To filter displayed data, expand the dimensions, located on the right side of the screen, that list network packet data, such as Countries, Client IPs, or Destination Ports.
- Identify if there are objects in the expanded dimension list that have an unexpected number of rule matches, and select these objects in the list.You can select more than one object from the dimensions. This will automatically filter the data on the screen to reflect your selection.
- Expand the Actions dimension to identify the firewall actions that correspond with the previously selected dimension object(s), and select one or more actions to filter by your selection.
- Expand ACL Policy Names or ACL Rules dimensions to isolate the staged ACL policy .
Once you have isolated a staged ACL
policy or rule with effective firewall protection, you can configure the policy or
rule to enforce network firewall protection.
Adding an enforced firewall policy
You can view and configure firewall policies to enforce or refine actions (accept, accept
decisively, drop, reject) using the Enforced settings. You are restricted to a single,
enforced firewall policy on any specific firewall context.
Policies can be
enforced in one firewall context and staged in another.
- Click .
- Click the name of the context to edit. The context properties are displayed.
- ClickAdd Enforced Firewall Policyin the Enforced Firewall Policy row and in the resulting popup, click the policy to use and clickAdd.Adding an enforced policy results in the removal of all existing rules.
- Click the name of the enforced policy to display the policy properties.
- ClickCreate Ruleto add a rule by editing the fields in the template.You can also add rules by right-clicking in the last rule in the table and selectingAdd rule beforeorAdd rule after. If you right-click after the bottom row in the Rules table, you can select the optionAdd rule. You can then reorder rules by dragging and dropping them until they are in the correct order for execution. You can also reorder rules by right-clicking in the row and selecting among the ordering options.
- Add a rule list by clickingAdd Rule List.
- In the popup screen that opens, select the name of the rule list that you want to add and then clickAdd.
- When finished, save your work.
Editing rule lists
You can edit the content of rule
lists,
including the order of rules in rule lists.
- Click .
- Click the specific rule list you want to edit in the right pane.
- ClickProperties.NameInformational, read-only field set when creating or cloning the rule list.DescriptionOptional description.PartitionInformational, read-only field set when creating or cloning the rule list.
- ClickRules, and click the name of the rule you want to edit.
- Complete the fields as appropriate.You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingAdd Rule beforeorAdd Rule after.
- Complete fields as appropriate.To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selectingCopy Rule. Then, navigate to the new location for the rule, right-click, and selectPaste BeforeorPaste Afteras appropriate. After the paste, delete the rule that you copied.
- ClickSaveto save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies
screen is refreshed.
