Manual Chapter :
Managing Firewall Policies
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing Firewall Policies
About firewall policies
A
firewall policy
is a set of rules, or rule lists, or both.
BIG-IP network firewalls use policies to specify traffic-handling actions and to
define the parameters for filtering network traffic. You can assign rule lists, or a policy to
a firewall. Policies facilitate the assigning of a common collection of rules consistently
across multiple firewalls.When you are managing clustered BIG-IP
devices in the BIG-IQ Centralized Management system, avoid assigning a firewall policy to
a cluster member that is a non-floating self IP. Doing so may cause unexpected results when
performing partial deployments and other actions.
The network software compares IP packets to the criteria specified in policies. If a packet
matches the criteria, then the system takes the action specified by the policy. If a packet
does not match any rule in the policy, the software accepts the packet or passes it to the
next policy, rule, or rule list.
In Network Security, the Policies list displays the policies available for assignment to
firewalls.
You can configure firewall policies as enforced or staged:
- Anenforcedpolicy refers to a policy whose actions are executed. Actions include: accept, accept decisively, drop, and reject.You are restricted to assigning a single, enforced policy on any specific firewall.
- Astagedpolicy refers to a policy that is evaluated but policy actions are not enforced. All activity is logged.You are restricted to assigning a single, staged policy on any specific firewall. You can have rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have rule lists in the staged area.
You can stage a firewall policy first and then examine logs to determine how the policy has
affected traffic. Then you can determine the timing for turning the policy from staged to
enforced.
Firewall policies can contain any combination of rules and rule lists. Policies cannot
contain other policies. You can re-order rules within a policy.
The Network Security system is
aware of functionality implemented in one BIG-IP software version but not in another. In terms
of firewall policies, this means that you are prohibited from dropping a policy onto a
firewall on a BIG-IP device that does not have the software version required to support
it.
Filtering policies
To filter the system interface to display only those objects related to a selected policy,
hover over the policy name, right-click and then click
Filter 'related
to'
. The interface is filtered and a count appears to the right of each object
type. The frame to the right provides its own filter field where you can enter text and
click on the filter icon to constrain the display to those items that match the filter.Creating firewall policies
To fine tune your network firewalls, you can configure policies and assign them to
firewalls using the Firewall Policies screen Rules & Rule Lists settings.
- Click.
- ClickCreateto open the New Firewall Policies screen.
- ClickPropertiesand complete the properties fields as required.All boxes outlined in gold are required fields.NameUser-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.DescriptionOptional description for the policy.PartitionAlthough it is pre-populated withCommon(default), you can set the partition when creating or cloning policies by typing a unique partition name.No whitespace is allowed in the partition name. No editing of the partition is allowed.The partition with that name must already exist on the BIG-IP device.Application TemplatesSelect whether the policy is available to application templates. To make this policy available to application templates, selectMake available in Application Templates.
- ClickRules, and then click either:
- Create Ruleto create rules.
- Add Rule Listto add rule lists.
- ClickSaveto save the firewall policy, or clickSave & Closeto save the firewall policy and return to the Firewall Policies screen.
A new firewall policy is added.
Cloning firewall policies
Cloning
creates an
exact copy with a different name. It enables you to quickly and easily create firewall
policies tailored to address any unique aspects of your network firewall environment.
When you clone a firewall policy, you create an exact copy of the policy which you can
then edit to address any special considerations. Users with the roles of Network
Security Viewer or Network Security Deployer cannot clone policies.
- Click.
- On the left, clickFirewall Policiesto see the list of firewall policies.
- Select a firewall policy in the list using the check box on the left and clickCloneto copy and modify an existing firewall policy.
- ClickPropertiesand complete the properties fields as required.All boxes outlined in gold are required fields.NameUser-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.DescriptionOptional description for the policy.PartitionAlthough it is pre-populated withCommon(default), you can set the partition when creating or cloning policies by typing a unique partition name.No whitespace is allowed in the partition name. No editing of the partition is allowed.The partition with that name must already exist on the BIG-IP device.Application TemplatesSelect whether the policy is available to application templates. To make this policy available to application templates, selectMake available in Application Templates.
- ClickRules, and then click either:
- Create Ruleto create rules.
- Add Rule Listto add rule lists.
- ClickSaveto save the firewall policy, or clickSave & Closeto save the firewall policy and return to the Firewall Policies page.
The cloned policy appears in the Firewall Policies screen. In an HA configuration,
the cloned policy appears on the standby BIG-IQ system as soon as
it is saved.
Deploy firewall policies
If you want to do a quicker deployment by only deploying the firewall policy portion of a configuration, you can do a partial deployment of the firewall policy, instead of deploying the entire configuration.
- Click.The Firewall Policies screen opens.
- Click the check box next to the firewall policy you want included in the partial deployment.
- ClickDeploy.
The system displays the selected firewall policy, with options for partial deployment selected.
Continue the partial deployment process.
Rename firewall policies
You rename a firewall policy when you want to make that name more accurate or distinct. Renaming a firewall policy causes a new firewall policy to be created and the old firewall policy to be deleted in a single transaction. All references to the old firewall policy are updated to refer to the renamed firewall policy.
- Click.
- Select the check box next to the firewall policy to rename.
- Click.A dialog box displays.
- Enter the new name in the dialog box and clickSave.The BIG-IQ system shows the status of the renaming operation in the dialog box.
- ClickCloseto exit the dialog box.
The firewall policy has been renamed.
Make firewall policies available in application templates
You make a firewall policy available to application templates so that it can be used to create applications.
- Click.
- Select the check box next to the firewall policy to add to the application template.
- Click.A dialog box displays.
- Confirm that you want to make the policy available to templates and clickSave.The BIG-IQ system shows the status of the operation in the dialog box.
The firewall policy is now available to application templates. Note that the policy now has
Yes
as the value in the Available to Application Templates column. To remove this policy from application templates, click .Reorder rules in firewall policies
Using the Firewall Policies screen,
you can reorder rules in firewall policies to optimize your network firewall policies by
reordering rules to change the order in which they are evaluated. Rules are evaluated
from top to bottom in the list (lowest Id number first, highest Id number
last).
- Click.
- Click the name of the firewall policy to edit.
- ClickRules.
- To reorder rule lists or rules, drag and drop them until they are in the correct order.You can also right-click a rule row and select among the ordering options.You can useCopy Ruleand then paste rules between policies. However, if you useCut Ruleand then paste between policies, the cut rule will not be removed from the policy.
- ClickSaveto save your changes.
- When you are finished, clickSave & Closeto save your edits, and return to the Firewall Policies screen.
Deleting firewall policies
You can remove obsolete firewall policies to keep network firewalls up-to-date.
If a firewall policy is in use, you cannot remove it.
To see where a firewall policy is used, right click the firewall policy name and
click
Filter 'related to'
. The BIG-IQ system displays a
count of where the policy is used in the list to the left.- Click.
- On the left, clickFirewall Policiesto see the list of firewall policies.
- Select the firewall policy to be deleted using the check box to the left of the firewall policy.
- ClickDeleteand then confirm the permanent removal in the popup dialog box.
The policy is deleted and no longer occurs in the list of firewall
policies.