Manual Chapter : Managing Rules and Rule Lists

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Managing Rules and Rule Lists

About rules and rule lists

Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.
Rule lists
are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.

Enabling, disabling and scheduling rules and rule lists

Once a rule or a rule list is created, you can set the state of that rule or rule list to enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is enabled. Settings on a rule list take precedence over those on a rule. For example, if a rule has a state of enabled, but is contained within a rule list that has a state of disabled, the rule used in that rule list will be disabled. The process differs for setting the state of a rule and setting the state of a rule list.
  • To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
  • To set the state for a rule list, edit the rule list, and right click the rule list name and select
    Edit Rule List Reference
    . The state can now be set by choosing enabled, disabled or scheduled in the State column.

Creating rules

To support a context or policy, you can create specific rules, gather those rules in a rule list, and assign the rule list to the context or policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Select the object to which you want to add the rule:
    Rule list
    In the left pane, click
    Rule Lists
    to display the rule lists, then select the rule list to have the rule added.
    Context
    In the left pane, click
    Contexts
    to display the contexts, then select the context to have the rule added.
    Policy
    In the left pane, click
    Firewall Policies
    to display the firewall policies, then select the policy to have the rule added.
  3. Add the rule to the object:
    Rule list
    In the right pane, click
    Create Rule
    .
    Context
    In the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then click
    Create Rule
    .
    Policy
    In the right pane, click
    Create Rule
    .
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  4. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    Add Rule before
    or
    Add Rule after
    .
  5. Click
    Save
    to save your changes.
  6. When you are finished, click
    Save & Close
    to save your edits.

Reorder rules in rule lists

You can optimize your network security firewall policy by reordering rules in rule lists to change the order in which they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number first, highest Id number last).
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
  2. Click the specific rule list you want to edit in the right pane.
  3. On the left, click
    Rules
    to ensure that it is selected.
  4. Drag and drop the rules until they are in the correct order.
    If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting
    Copy Rule
    . Then, go to the new location for the rule, right-click, and select
    Paste Before
    or
    Paste After
    as appropriate. After the paste, delete the rule that you copied. You delete rules by right-clicking a rule and selecting
    Delete Rule
    .
    Alternatively, you can reorder rules using the
    Cut Rule
    option. Right-click the rule and select
    Cut Rule
    to select the rule for reordering, then move your cursor to the new position in the rule list, and select
    Paste Before
    or
    Paste After
    as appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.
    You can use
    Copy Rule
    and then paste rules between rule lists. However, if you use
    Cut Rule
    and then paste between rule lists, the cut rule will not be removed from the rule list.
  5. When you are finished, click
    Save & Close
    to save your edits.

Removing rules

You can remove specific rules from rule lists, firewalls, or policies, to fine tune security policies.
You can remove a rule even if it is the only rule in the rule list.
  1. You remove a rule based on the object that you remove it from:
    From a rule list
    In the left pane, expand
    Rules Lists
    and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to
    Properties
    and
    Rules
    options.
    From a firewall context
    In the left pane, expand
    Contexts
    , click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then click
    Rules & Rule Lists
    .
    From a policy
    In the left pane, expand
    Policies
    , click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to
    Properties
    and
    Rules & Rule Lists
    options. Select
    Rules & Rule Lists
    .
  2. Hover over the row containing the rule, and right-click.
  3. Select
    Delete rule
    and, if prompted, confirm the deletion.
  4. Click
    Save
    to save your changes.

Creating and adding rule lists

To support a specific firewall or policy, you can create a rule list and then assign it to the firewall context or policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Click Rule Lists in the navigation pane on the left.
  3. In the Rule Lists pane on the right, click
    Create
    .
  4. Click
    Properties
    and complete the properties fields as required.
    Name
    Unique name. The field is read-only field unless creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Although pre-populated with
    Common
    (default), you can set the partition name by typing a unique name for the partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  5. Click
    Rules
    and create or add rules to the rule list.
  6. Click
    Save
    to save your changes or
    Save & Close
    to save your changed and exit the screen.
  7. Select the object in the Policy Editor to which you want to add the rule list:
    Context
    Select Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.
    Policy
    Select Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
  8. Add the rule list to the selected object:
    Context
    Click the enforced or staged policy to which the rule list should be added, then click
    Add Rule List
    , select from the rule lists in the popup dialog, and click
    Select
    .
    Policy
    Click
    Rules & Rule Lists
    , then click
    Add Rule List
    , then select from the rule lists in the popup dialog, and click
    Select
    .
    You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    add rule before
    or
    add rule after
    .
  9. When you are finished, click
    Save
    or
    Save & Close
    , as appropriate.

Editing rule lists

You can edit the content of rule lists, including the order of rules in rule lists.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Rule Lists
    .
  2. Click the specific rule list you want to edit in the right pane.
  3. Click
    Properties
    .
    Name
    Informational, read-only field set when creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Informational, read-only field set when creating or cloning the rule list.
  4. Click
    Rules
    , and click the name of the rule you want to edit.
  5. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    Add Rule before
    or
    Add Rule after
    .
  6. Complete fields as appropriate.
    To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting
    Copy Rule
    . Then, navigate to the new location for the rule, right-click, and select
    Paste Before
    or
    Paste After
    as appropriate. After the paste, delete the rule that you copied.
  7. Click
    Save
    to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.

Clearing fields in rules

You can clear the text from fields in rules to fine tune them and, in turn, rule lists and security policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Expand
    Rule Lists
    and click the name of a rule list that you want to edit.
  3. On the left, click
    Rules
    to ensure that it is selected.
  4. Click the name of the rule containing the fields whose contents you want to remove.
  5. Not all fields can be cleared, but you can remove the contents of these fields as follows:
    Address
    (source or destination)
    Click the
    X
    to the right of the field.
    Port
    (source or destination)
    Click the
    X
    to the right of the field.
    VLAN
    Click the
    X
    to the right of the field.
    iRule
    Select a new iRule, or no iRule.
    Description
    Delete the contents of the field.
    Subscriber
    (ID or group) 
    Click the
    X
    to the right of the field.
  6. Click
    Save
    to save your changes.
  7. When you are finished, click
    Save & Close
    to save your edits.

Deploy rule lists

If you want to do a quicker deployment by only deploying the rule list portion of a configuration, you can do a partial deployment of the rule list, instead of deploying the entire configuration.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
    The Rule Lists screen opens.
  2. Click the check box next to the rule list you want included in the partial deployment.
  3. Click
    Deploy
    .
The system displays the selected rule list, with options for partial deployment selected.
Continue the partial deployment process.

Rename rule lists

You rename a rule list when you want to make that name more accurate or distinct. Renaming a rule list causes a new rule list to be created and the old rule list to be deleted in a single transaction. All references to the old rule list are updated to refer to the renamed rule list.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
  2. Select the check box next to the rule list to rename.
  3. Click
    Rename
    .
    A dialog box displays.
  4. Enter the new name in the dialog box and click
    Save
    .
    The BIG-IQ system shows the status of the renaming operation in the dialog box.
  5. Click
    Close
    to exit the dialog box.
The rule list has been renamed.

Cloning rule lists

Cloning enables you to create and customize rule lists to address unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list, which you can then edit to address any special considerations.
Users with the roles of Network Security Viewer or Network Security Deployer cannot clone policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    ..
    The Rule Lists screen opens.
  2. Click the checkbox to the left of the rule list to clone, and click
    Clone
    .
  3. Click
    Properties
    and complete the properties fields as required.
    Name
    Unique name. The field is read-only field unless creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Although pre-populated with
    Common
    (default), you can set the partition name by typing a unique name for the partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  4. Click
    Rules
    , edit the rules as required to configure the clone.
    You can also click
    Create Rule
    to add a new rule.
  5. When you are finished, click
    Save
    .
    If you click
    Cancel
    , the rule list is not cloned.
The cloned rule list is added alphabetically under
Rule Lists
. In a high-availability configuration, the cloned rule list is replicated on the standby system as soon as it is cloned.

Removing rule lists

You can remove rule lists from firewalls or policies to fine tune security policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Click
    Rule Lists
    to display the rule list you want to remove, and then click the check box to the left of that rule list.
  3. At the top of the screen, click
    Delete
    .
  4. If it is safe to remove the rule list, a confirmation dialog box opens; click
    Delete
    to confirm.
    If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. Click
    Close
    to acknowledge this message, and then click
    Cancel
    in the Delete Rule Lists popup screen. To see where a rule list is used, right click the rule list name and select
    Filter 'related to'
    . A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click the
    x
    icon to the right of the search string.