Manual Chapter :
Managing Rules and Rule Lists
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing Rules and Rule Lists
About rules and rule lists
Network firewalls use rules and rule lists to specify traffic-handling actions. The network
software compares IP packets to the criteria specified in rules. If a packet matches the
criteria, then the system takes the action specified by the rule. If a packet does not match
any rule from the list, the software accepts the packet or passes it to the next rule or rule
list. For example, the system compares the packet to self IP rules if the packet is destined
for a network associated with a self IP address that has firewall rules defined.
Rule lists
are containers for rules, which are run in the order they appear in
their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be
nested inside another rule list. You can reorder rules in a given rule list at any time.Enabling, disabling and scheduling rules
and rule lists
Once a rule or a rule list is created, you can set the state of that rule or rule list to
enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is
enabled. Settings on a rule list take precedence over those on a rule. For example, if a
rule has a state of enabled, but is contained within a rule list that has a state of
disabled, the rule used in that rule list will be disabled. The process differs for setting
the state of a rule and setting the state of a rule list.
- To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
- To set the state for a rule list, edit the rule list, and right click the rule list name and selectEdit Rule List Reference. The state can now be set by choosing enabled, disabled or scheduled in the State column.
Creating rules
To support a context or policy, you can create specific rules, gather those rules
in a rule list, and assign the rule list to the context or policy.
- Click.
- Select the object to which you want to add the rule:Rule listIn the left pane, clickRule Liststo display the rule lists, then select the rule list to have the rule added.ContextIn the left pane, clickContextsto display the contexts, then select the context to have the rule added.PolicyIn the left pane, clickFirewall Policiesto display the firewall policies, then select the policy to have the rule added.
- Add the rule to the object:Rule listIn the right pane, clickCreate Rule.ContextIn the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then clickCreate Rule.PolicyIn the right pane, clickCreate Rule.A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
- Complete the fields as appropriate.You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingAdd Rule beforeorAdd Rule after.
- ClickSaveto save your changes.
- When you are finished, clickSave & Closeto save your edits.
Reorder rules in rule lists
You can optimize your network
security firewall policy by reordering rules in rule lists to change the order in which
they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number
first, highest Id number last).
- Click.
- Click the specific rule list you want to edit in the right pane.
- On the left, clickRulesto ensure that it is selected.
- Drag and drop the rules until they are in the correct order.If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selectingCopy Rule. Then, go to the new location for the rule, right-click, and selectPaste BeforeorPaste Afteras appropriate. After the paste, delete the rule that you copied. You delete rules by right-clicking a rule and selectingDelete Rule.Alternatively, you can reorder rules using theCut Ruleoption. Right-click the rule and selectCut Ruleto select the rule for reordering, then move your cursor to the new position in the rule list, and selectPaste BeforeorPaste Afteras appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.You can useCopy Ruleand then paste rules between rule lists. However, if you useCut Ruleand then paste between rule lists, the cut rule will not be removed from the rule list.
- When you are finished, clickSave & Closeto save your edits.
Removing rules
You can remove specific rules from rule lists, firewalls, or policies, to fine tune
security policies.
You can remove a rule even if it is the only rule
in the rule list.
- You remove a rule based on the object that you remove it from:From a rule listIn the left pane, expandRules Listsand click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access toPropertiesandRulesoptions.From a firewall contextIn the left pane, expandContexts, click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then clickRules & Rule Lists.From a policyIn the left pane, expandPolicies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access toPropertiesandRules & Rule Listsoptions. SelectRules & Rule Lists.
- Hover over the row containing the rule, and right-click.
- SelectDelete ruleand, if prompted, confirm the deletion.
- ClickSaveto save your changes.
Creating and adding rule lists
To support a specific firewall or policy, you can create a rule list and then
assign it to the firewall context or policy.
- Click.
- Click Rule Lists in the navigation pane on the left.
- In the Rule Lists pane on the right, clickCreate.
- ClickPropertiesand complete the properties fields as required.NameUnique name. The field is read-only field unless creating or cloning the rule list.DescriptionOptional description.PartitionAlthough pre-populated withCommon(default), you can set the partition name by typing a unique name for the partition.The firewall partition itself is not editable.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- ClickRulesand create or add rules to the rule list.
- ClickSaveto save your changes orSave & Closeto save your changed and exit the screen.
- Select the object in the Policy Editor to which you want to add the rule list:ContextSelect Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.PolicySelect Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
- Add the rule list to the selected object:ContextClick the enforced or staged policy to which the rule list should be added, then clickAdd Rule List, select from the rule lists in the popup dialog, and clickSelect.PolicyClickRules & Rule Lists, then clickAdd Rule List, then select from the rule lists in the popup dialog, and clickSelect.You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingadd rule beforeoradd rule after.
- When you are finished, clickSaveorSave & Close, as appropriate.
Editing rule lists
You can edit the content of rule
lists,
including the order of rules in rule lists.
- Click.
- Click the specific rule list you want to edit in the right pane.
- ClickProperties.NameInformational, read-only field set when creating or cloning the rule list.DescriptionOptional description.PartitionInformational, read-only field set when creating or cloning the rule list.
- ClickRules, and click the name of the rule you want to edit.
- Complete the fields as appropriate.You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosingAdd Rule beforeorAdd Rule after.
- Complete fields as appropriate.To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selectingCopy Rule. Then, navigate to the new location for the rule, right-click, and selectPaste BeforeorPaste Afteras appropriate. After the paste, delete the rule that you copied.
- ClickSaveto save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies
screen is refreshed.
Clearing fields in rules
You can clear the text from fields in rules to fine tune them and, in turn, rule
lists and security policies.
- Click.
- ExpandRule Listsand click the name of a rule list that you want to edit.
- On the left, clickRulesto ensure that it is selected.
- Click the name of the rule containing the fields whose contents you want to remove.
- Not all fields can be cleared, but you can remove the contents of these fields as follows:Address(source or destination)Click theXto the right of the field.Port(source or destination)Click theXto the right of the field.VLANClick theXto the right of the field.iRuleSelect a new iRule, or no iRule.DescriptionDelete the contents of the field.Subscriber(ID or group)Click theXto the right of the field.
- ClickSaveto save your changes.
- When you are finished, clickSave & Closeto save your edits.
Deploy rule lists
If you want to do a quicker deployment by only deploying the rule list portion of a configuration, you can do a partial deployment of the rule list, instead of deploying the entire configuration.
- Click.The Rule Lists screen opens.
- Click the check box next to the rule list you want included in the partial deployment.
- ClickDeploy.
The system displays the selected rule list, with options for partial deployment selected.
Continue the partial deployment process.
Rename rule lists
You rename a rule list when you want to make that name more accurate or distinct. Renaming a rule list causes a new rule list to be created and the old rule list to be deleted in a single transaction. All references to the old rule list are updated to refer to the renamed rule list.
- Click.
- Select the check box next to the rule list to rename.
- ClickRename.A dialog box displays.
- Enter the new name in the dialog box and clickSave.The BIG-IQ system shows the status of the renaming operation in the dialog box.
- ClickCloseto exit the dialog box.
The rule list has been renamed.
Cloning rule lists
Cloning enables you to create and
customize rule lists to address unique aspects of your network firewall environment.
When you clone a rule list, you create an exact copy of the rule list, which you can
then edit to address any special considerations.
Users with the roles of Network
Security Viewer or Network Security Deployer cannot clone policies.
- Click..The Rule Lists screen opens.
- Click the checkbox to the left of the rule list to clone, and clickClone.
- ClickPropertiesand complete the properties fields as required.NameUnique name. The field is read-only field unless creating or cloning the rule list.DescriptionOptional description.PartitionAlthough pre-populated withCommon(default), you can set the partition name by typing a unique name for the partition.The firewall partition itself is not editable.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- ClickRules, edit the rules as required to configure the clone.You can also clickCreate Ruleto add a new rule.
- When you are finished, clickSave.If you clickCancel, the rule list is not cloned.
The cloned rule list is added alphabetically under
Rule
Lists
. In a high-availability configuration, the cloned rule list is
replicated on the standby system as soon as it is cloned.Removing rule lists
You can remove rule lists from firewalls or policies to fine tune security
policies.
- Click.
- ClickRule Liststo display the rule list you want to remove, and then click the check box to the left of that rule list.
- At the top of the screen, clickDelete.
- If it is safe to remove the rule list, a confirmation dialog box opens; clickDeleteto confirm.If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. ClickCloseto acknowledge this message, and then clickCancelin the Delete Rule Lists popup screen. To see where a rule list is used, right click the rule list name and selectFilter 'related to'. A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click thexicon to the right of the search string.
Rule properties
This table describes the properties required when you are configuring network firewall
rules.
Property | Description |
---|---|
ID | The evaluation order identifier of the rule within the
policy. Rules are evaluated from the lowest number to the highest. If a rule is
contained within a rule list, it will be numbered with the number of the rule list,
with the contained rule numbered after the decimal point. For example, a policy with 3
rules, followed by a rule list containing 2 rules, followed by another rule outside of
the rule list, would be numbered as: 1,
2, 3, 4, 4.1, 4.2, 5 . In the example, 4 represents the rule list, and
4.1 and 4.2 are the rules within that rule list. |
Name | In a rule list, the unique, user-provided name for the
rule. Alternatively, in a firewall context or firewall policy, a rule list name,
preceded by: Reference_To_ ,
such as Reference_To_sys_self_allow_all . |
Address (Source or Destination) | An IPv4 or IPv6 source or destination IP address, address
range, or address list, to which the firewall rule applies.
You
can specify subnets using forward slash (/) notation using either IPv4 or IPv6, such
as 60.63.10.0/24 or
2001:db8:a::/64 . You can
also append a route domain to an address using the format %RouteDomainID/Mask. For
example, 12.2.0.0%44/16 .You can add additional
addresses, address ranges, address lists, or countries/regions ( Add ) and delete addresses, address
ranges, address lists, or countries/regions (X ). To recover an address that was
marked for deletion using X , re-enter the address and click Add .
|
Port (Source or
Destination) | Specifies source or destination port entries (ports, port
ranges, or port lists) to which the firewall rule applies.
You can add additional ports, port ranges, or port lists
( Add ) and to delete
ports, port ranges, or port lists (X ). To recover a port that was marked for deletion using X , re-enter the port and click
Add .
|
VLAN (Source) | Specifies a VLAN or tunnel from which the packet source
originates, to which the rule applies. This VLAN is physically present on the device
(Internal, External, or Any). If you specify a VLAN in a rule without also specifying
the VLAN's partition, the deployment task will fail when you attempt to deploy that
rule to a firewall. Use the format partition/VLAN or /partition/VLAN . For example: Common/external or /Common/external . |
Subscriber (Source) | Select a subscriber or subscriber group to which the rule applies. Leaving all
address fields blank applies the rule to all addresses and all ports.
Unknown or Uncertain . The
difference between Unknown and Uncertain
is subtle. Unknown means that the session has been provisioned
(via PCRF) but the subscriber and/or subscriber group is not known.
Uncertain means that the session has not been provisioned and
thus there is no subscriber and/or subscriber group information. Options are
provided to add additional subscribers or subscriber groups.
( Add ) and to delete subscribers or subscriber groups
(X ). To recover a subscriber that was marked for deletion
using X , re-enter the subscriber and click
Add . When you are finished, save your work. |
Action | Specifies the action taken when the firewall rule is
matched, such as whether it is accepted or rejected.
|
iRule | Specifies an iRule that is applied to the rule.
Optionally, you can enter a number in the Sampling Rate field to indicate how
often to take a sample. iRules® use syntax based on the industry-standard Tools Command Language
(Tcl). For complete and detailed information on iRules syntax, see the F5 Networks
DevCentral web site, http://devcentral.f5.com . Note that iRules must conform to standard
Tcl grammar rules. For more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html . Note that iRules are
not supported on the management IP context. |
Protocol | Specifies the IP protocol to compare against the packet.
If you select ICMP , or IPv6-ICMP , additional fields open where you can specify Type and Code combinations. If you select
Other , only a Type field is displayed. The
default type is Any and
the default code is Any .The type and code combinations are too numerous to
document here. For details, consult the F5 Networks DevCentral site, http://devcentral.f5.com , or the
documentation for the specific BIG-IP
platform. |
State | Specifies the activity state of the rule, such as whether
it is enabled or disabled.
|
Send to
Virtual | Specifies a virtual server to which packets matched by the
firewall rule classifiers are routed. When a firewall rule is routed to a virtual
server, the firewall rule action is not applied. This option is available only for
rules on the global, route domain, or self IP context. |
Service
Policy | Specifies a service policy to associate with a rule. A
service policy allows you to associate network idle timers or timer policies with
firewall contexts and rules. You can add a service policy to a rule by dragging the
service policy from the Shared Objects area onto the Service Policy column for the
rule. This field is available with BIG-IP devices version 12.0 or higher. |
Log | Specifies whether the firewall software should write a log
entry for any packets that match this rule. From the list, select true (log an entry), or false (do not log an entry). |