Manual Chapter :
Managing Rules and Rule Lists
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing Rules and Rule Lists
About rules and rule lists
Network firewalls use rules and rule lists to specify traffic-handling actions. The network
software compares IP packets to the criteria specified in rules. If a packet matches the
criteria, then the system takes the action specified by the rule. If a packet does not match
any rule from the list, the software accepts the packet or passes it to the next rule or rule
list. For example, the system compares the packet to self IP rules if the packet is destined
for a network associated with a self IP address that has firewall rules defined.
Rule lists
are containers for rules, which are run in the order they appear in
their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be
nested inside another rule list. You can reorder rules in a given rule list at any time.Enabling, disabling and scheduling rules
and rule lists
Once a rule or a rule list is created, you can set the state of that rule or rule list to
enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is
enabled. Settings on a rule list take precedence over those on a rule. For example, if a
rule has a state of enabled, but is contained within a rule list that has a state of
disabled, the rule used in that rule list will be disabled. The process differs for setting
the state of a rule and setting the state of a rule list.
- To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
- To set the state for a rule list, edit the rule list, and right click the rule list name and selectEdit Rule List Reference. The state can now be set by choosing enabled, disabled or scheduled in the State column.
Creating rules
To support a context or policy, you can create specific rules, gather those rules
in a rule list, and assign the rule list to the context or policy.
- Click.
- Select the object to which you want to add the rule:Rule listIn the left pane, clickRule Liststo display the rule lists, then select the rule list to have the rule added.ContextIn the left pane, clickContextsto display the contexts, then select the context to have the rule added.PolicyIn the left pane, clickFirewall Policiesto display the firewall policies, then select the policy to have the rule added.
- Add the rule to the object:Rule listIn the right pane, clickCreate Rule.ContextIn the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then clickCreate Rule.PolicyIn the right pane, clickCreate Rule.A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
- Complete the fields as appropriate.You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingAdd Rule beforeorAdd Rule after.
- ClickSaveto save your changes.
- When you are finished, clickSave & Closeto save your edits.
Reorder rules in rule lists
You can optimize your network
security firewall policy by reordering rules in rule lists to change the order in which
they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number
first, highest Id number last).
- Click.
- Click the specific rule list you want to edit in the right pane.
- On the left, clickRulesto ensure that it is selected.
- Drag and drop the rules until they are in the correct order.If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selectingCopy Rule. Then, go to the new location for the rule, right-click, and selectPaste BeforeorPaste Afteras appropriate. After the paste, delete the rule that you copied. You delete rules by right-clicking a rule and selectingDelete Rule.Alternatively, you can reorder rules using theCut Ruleoption. Right-click the rule and selectCut Ruleto select the rule for reordering, then move your cursor to the new position in the rule list, and selectPaste BeforeorPaste Afteras appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.You can useCopy Ruleand then paste rules between rule lists. However, if you useCut Ruleand then paste between rule lists, the cut rule will not be removed from the rule list.
- When you are finished, clickSave & Closeto save your edits.
Removing rules
You can remove specific rules from rule lists, firewalls, or policies, to fine tune
security policies.
You can remove a rule even if it is the only rule
in the rule list.
- You remove a rule based on the object that you remove it from:From a rule listIn the left pane, expandRules Listsand click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access toPropertiesandRulesoptions.From a firewall contextIn the left pane, expandContexts, click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then clickRules & Rule Lists.From a policyIn the left pane, expandPolicies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access toPropertiesandRules & Rule Listsoptions. SelectRules & Rule Lists.
- Hover over the row containing the rule, and right-click.
- SelectDelete ruleand, if prompted, confirm the deletion.
- ClickSaveto save your changes.
Creating and adding rule lists
To support a specific firewall or policy, you can create a rule list and then
assign it to the firewall context or policy.
- Click.
- Click Rule Lists in the navigation pane on the left.
- In the Rule Lists pane on the right, clickCreate.
- ClickPropertiesand complete the properties fields as required.NameUnique name. The field is read-only field unless creating or cloning the rule list.DescriptionOptional description.PartitionAlthough pre-populated withCommon(default), you can set the partition name by typing a unique name for the partition.The firewall partition itself is not editable.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- ClickRulesand create or add rules to the rule list.
- ClickSaveto save your changes orSave & Closeto save your changed and exit the screen.
- Select the object in the Policy Editor to which you want to add the rule list:ContextSelect Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.PolicySelect Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
- Add the rule list to the selected object:ContextClick the enforced or staged policy to which the rule list should be added, then clickAdd Rule List, select from the rule lists in the popup dialog, and clickSelect.PolicyClickRules & Rule Lists, then clickAdd Rule List, then select from the rule lists in the popup dialog, and clickSelect.You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingadd rule beforeoradd rule after.
- When you are finished, clickSaveorSave & Close, as appropriate.
Editing rule lists
You can edit the content of rule
lists,
including the order of rules in rule lists.
- Click.
- Click the specific rule list you want to edit in the right pane.
- ClickProperties.NameInformational, read-only field set when creating or cloning the rule list.DescriptionOptional description.PartitionInformational, read-only field set when creating or cloning the rule list.
- ClickRules, and click the name of the rule you want to edit.
- Complete the fields as appropriate.You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingAdd Rule beforeorAdd Rule after.
- Complete fields as appropriate.To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selectingCopy Rule. Then, navigate to the new location for the rule, right-click, and selectPaste BeforeorPaste Afteras appropriate. After the paste, delete the rule that you copied.
- ClickSaveto save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies
screen is refreshed.
Clearing fields in rules
You can clear the text from fields in rules to fine tune them and, in turn, rule
lists and security policies.
- Click.
- ExpandRule Listsand click the name of a rule list that you want to edit.
- On the left, clickRulesto ensure that it is selected.
- Click the name of the rule containing the fields whose contents you want to remove.
- Not all fields can be cleared, but you can remove the contents of these fields as follows:Address(source or destination)Click theXto the right of the field.Port(source or destination)Click theXto the right of the field.VLANClick theXto the right of the field.iRuleSelect a new iRule, or no iRule.DescriptionDelete the contents of the field.Subscriber(ID or group)Click theXto the right of the field.
- ClickSaveto save your changes.
- When you are finished, clickSave & Closeto save your edits.
Deploy rule lists
If you want to do a quicker deployment by only deploying the rule list portion of a configuration, you can do a partial deployment of the rule list, instead of deploying the entire configuration.
- Click.The Rule Lists screen opens.
- Click the check box next to the rule list you want included in the partial deployment.
- ClickDeploy.
The system displays the selected rule list, with options for partial deployment selected.
Continue the partial deployment process.
Rename rule lists
You rename a rule list when you want to make that name more accurate or distinct. Renaming a rule list causes a new rule list to be created and the old rule list to be deleted in a single transaction. All references to the old rule list are updated to refer to the renamed rule list.
- Click.
- Select the check box next to the rule list to rename.
- ClickRename.A dialog box displays.
- Enter the new name in the dialog box and clickSave.The BIG-IQ system shows the status of the renaming operation in the dialog box.
- ClickCloseto exit the dialog box.
The rule list has been renamed.
Cloning rule lists
Cloning enables you to create and
customize rule lists to address unique aspects of your network firewall environment.
When you clone a rule list, you create an exact copy of the rule list, which you can
then edit to address any special considerations.
Users with the roles of Network
Security Viewer or Network Security Deployer cannot clone policies.
- Click..The Rule Lists screen opens.
- Click the checkbox to the left of the rule list to clone, and clickClone.
- ClickPropertiesand complete the properties fields as required.NameUnique name. The field is read-only field unless creating or cloning the rule list.DescriptionOptional description.PartitionAlthough pre-populated withCommon(default), you can set the partition name by typing a unique name for the partition.The firewall partition itself is not editable.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- ClickRules, edit the rules as required to configure the clone.You can also clickCreate Ruleto add a new rule.
- When you are finished, clickSave.If you clickCancel, the rule list is not cloned.
The cloned rule list is added alphabetically under
Rule
Lists
. In a high-availability configuration, the cloned rule list is
replicated on the standby system as soon as it is cloned.Removing rule lists
You can remove rule lists from firewalls or policies to fine tune security
policies.
- Click.
- ClickRule Liststo display the rule list you want to remove, and then click the check box to the left of that rule list.
- At the top of the screen, clickDelete.
- If it is safe to remove the rule list, a confirmation dialog box opens; clickDeleteto confirm.If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. ClickCloseto acknowledge this message, and then clickCancelin the Delete Rule Lists popup screen. To see where a rule list is used, right click the rule list name and selectFilter 'related to'. A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click thexicon to the right of the search string.