Manual Chapter : Managing Rules and Rule Lists

Applies To:

Show Versions Show Versions
Manual Chapter

Managing Rules and Rule Lists

About rules and rule lists

Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.
Rule lists
are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.

Enabling, disabling and scheduling rules and rule lists

Once a rule or a rule list is created, you can set the state of that rule or rule list to enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is enabled. Settings on a rule list take precedence over those on a rule. For example, if a rule has a state of enabled, but is contained within a rule list that has a state of disabled, the rule used in that rule list will be disabled. The process differs for setting the state of a rule and setting the state of a rule list.
  • To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
  • To set the state for a rule list, edit the rule list, and right click the rule list name and select
    Edit Rule List Reference
    . The state can now be set by choosing enabled, disabled or scheduled in the State column.

Creating rules

To support a context or policy, you can create specific rules, gather those rules in a rule list, and assign the rule list to the context or policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Select the object to which you want to add the rule:
    Rule list
    In the left pane, click
    Rule Lists
    to display the rule lists, then select the rule list to have the rule added.
    Context
    In the left pane, click
    Contexts
    to display the contexts, then select the context to have the rule added.
    Policy
    In the left pane, click
    Firewall Policies
    to display the firewall policies, then select the policy to have the rule added.
  3. Add the rule to the object:
    Rule list
    In the right pane, click
    Create Rule
    .
    Context
    In the right pane, click the name of the context staged or enforced policy to which you want to add the rule, then click
    Create Rule
    .
    Policy
    In the right pane, click
    Create Rule
    .
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  4. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    Add Rule before
    or
    Add Rule after
    .
  5. Click
    Save
    to save your changes.
  6. When you are finished, click
    Save & Close
    to save your edits.

Reorder rules in rule lists

You can optimize your network security firewall policy by reordering rules in rule lists to change the order in which they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number first, highest Id number last).
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
  2. Click the specific rule list you want to edit in the right pane.
  3. On the left, click
    Rules
    to ensure that it is selected.
  4. Drag and drop the rules until they are in the correct order.
    If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting
    Copy Rule
    . Then, go to the new location for the rule, right-click, and select
    Paste Before
    or
    Paste After
    as appropriate. After the paste, delete the rule that you copied. You delete rules by right-clicking a rule and selecting
    Delete Rule
    .
    Alternatively, you can reorder rules using the
    Cut Rule
    option. Right-click the rule and select
    Cut Rule
    to select the rule for reordering, then move your cursor to the new position in the rule list, and select
    Paste Before
    or
    Paste After
    as appropriate. The rule is removed from the original position when it is pasted in the new position in the rule list, but not before.
    You can use
    Copy Rule
    and then paste rules between rule lists. However, if you use
    Cut Rule
    and then paste between rule lists, the cut rule will not be removed from the rule list.
  5. When you are finished, click
    Save & Close
    to save your edits.

Removing rules

You can remove specific rules from rule lists, firewalls, or policies, to fine tune security policies.
You can remove a rule even if it is the only rule in the rule list.
  1. You remove a rule based on the object that you remove it from:
    From a rule list
    In the left pane, expand
    Rules Lists
    and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to
    Properties
    and
    Rules
    options.
    From a firewall context
    In the left pane, expand
    Contexts
    , click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then click
    Rules & Rule Lists
    .
    From a policy
    In the left pane, expand
    Policies
    , click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to
    Properties
    and
    Rules & Rule Lists
    options. Select
    Rules & Rule Lists
    .
  2. Hover over the row containing the rule, and right-click.
  3. Select
    Delete rule
    and, if prompted, confirm the deletion.
  4. Click
    Save
    to save your changes.

Creating and adding rule lists

To support a specific firewall or policy, you can create a rule list and then assign it to the firewall context or policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Click Rule Lists in the navigation pane on the left.
  3. In the Rule Lists pane on the right, click
    Create
    .
  4. Click
    Properties
    and complete the properties fields as required.
    Name
    Unique name. The field is read-only field unless creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Although pre-populated with
    Common
    (default), you can set the partition name by typing a unique name for the partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  5. Click
    Rules
    and create or add rules to the rule list.
  6. Click
    Save
    to save your changes or
    Save & Close
    to save your changed and exit the screen.
  7. Select the object in the Policy Editor to which you want to add the rule list:
    Context
    Select Contexts in the navigation frame on the left, and then click the specific firewall context to have a rule list added.
    Policy
    Select Policies in the navigation frame on the left, and then click the specific firewall policy to have a rule list added.
  8. Add the rule list to the selected object:
    Context
    Click the enforced or staged policy to which the rule list should be added, then click
    Add Rule List
    , select from the rule lists in the popup dialog, and click
    Select
    .
    Policy
    Click
    Rules & Rule Lists
    , then click
    Add Rule List
    , then select from the rule lists in the popup dialog, and click
    Select
    .
    You can add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    add rule before
    or
    add rule after
    .
  9. When you are finished, click
    Save
    or
    Save & Close
    , as appropriate.

Editing rule lists

You can edit the content of rule lists, including the order of rules in rule lists.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Rule Lists
    .
  2. Click the specific rule list you want to edit in the right pane.
  3. Click
    Properties
    .
    Name
    Informational, read-only field set when creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Informational, read-only field set when creating or cloning the rule list.
  4. Click
    Rules
    , and click the name of the rule you want to edit.
  5. Complete the fields as appropriate.
    You can also add rules by right-clicking in the Rules table, or by right-clicking any row in the Rules table and choosing
    Add Rule before
    or
    Add Rule after
    .
  6. Complete fields as appropriate.
    To reorder rules, simply drag and drop the rules until they are in the correct order. If the list of rules expands beyond the editing frame, the drag-and-drop function does not work. Instead, copy the rule by right-clicking and selecting
    Copy Rule
    . Then, navigate to the new location for the rule, right-click, and select
    Paste Before
    or
    Paste After
    as appropriate. After the paste, delete the rule that you copied.
  7. Click
    Save
    to save your changes.
Changes made to the rule list are reflected the next time the Contexts or Policies screen is refreshed.

Clearing fields in rules

You can clear the text from fields in rules to fine tune them and, in turn, rule lists and security policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Expand
    Rule Lists
    and click the name of a rule list that you want to edit.
  3. On the left, click
    Rules
    to ensure that it is selected.
  4. Click the name of the rule containing the fields whose contents you want to remove.
  5. Not all fields can be cleared, but you can remove the contents of these fields as follows:
    Address
    (source or destination)
    Click the
    X
    to the right of the field.
    Port
    (source or destination)
    Click the
    X
    to the right of the field.
    VLAN
    Click the
    X
    to the right of the field.
    iRule
    Select a new iRule, or no iRule.
    Description
    Delete the contents of the field.
    Subscriber
    (ID or group) 
    Click the
    X
    to the right of the field.
  6. Click
    Save
    to save your changes.
  7. When you are finished, click
    Save & Close
    to save your edits.

Deploy rule lists

If you want to do a quicker deployment by only deploying the rule list portion of a configuration, you can do a partial deployment of the rule list, instead of deploying the entire configuration.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
    The Rule Lists screen opens.
  2. Click the check box next to the rule list you want included in the partial deployment.
  3. Click
    Deploy
    .
The system displays the selected rule list, with options for partial deployment selected.
Continue the partial deployment process.

Rename rule lists

You rename a rule list when you want to make that name more accurate or distinct. Renaming a rule list causes a new rule list to be created and the old rule list to be deleted in a single transaction. All references to the old rule list are updated to refer to the renamed rule list.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    .
  2. Select the check box next to the rule list to rename.
  3. Click
    Rename
    .
    A dialog box displays.
  4. Enter the new name in the dialog box and click
    Save
    .
    The BIG-IQ system shows the status of the renaming operation in the dialog box.
  5. Click
    Close
    to exit the dialog box.
The rule list has been renamed.

Cloning rule lists

Cloning enables you to create and customize rule lists to address unique aspects of your network firewall environment. When you clone a rule list, you create an exact copy of the rule list, which you can then edit to address any special considerations.
Users with the roles of Network Security Viewer or Network Security Deployer cannot clone policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    ..
    The Rule Lists screen opens.
  2. Click the checkbox to the left of the rule list to clone, and click
    Clone
    .
  3. Click
    Properties
    and complete the properties fields as required.
    Name
    Unique name. The field is read-only field unless creating or cloning the rule list.
    Description
    Optional description.
    Partition
    Although pre-populated with
    Common
    (default), you can set the partition name by typing a unique name for the partition.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    The firewall partition itself is not editable.
  4. Click
    Rules
    , edit the rules as required to configure the clone.
    You can also click
    Create Rule
    to add a new rule.
  5. When you are finished, click
    Save
    .
    If you click
    Cancel
    , the rule list is not cloned.
The cloned rule list is added alphabetically under
Rule Lists
. In a high-availability configuration, the cloned rule list is replicated on the standby system as soon as it is cloned.

Removing rule lists

You can remove rule lists from firewalls or policies to fine tune security policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    .
  2. Click
    Rule Lists
    to display the rule list you want to remove, and then click the check box to the left of that rule list.
  3. At the top of the screen, click
    Delete
    .
  4. If it is safe to remove the rule list, a confirmation dialog box opens; click
    Delete
    to confirm.
    If the rule list is in use, you cannot complete the removal. A popup screen opens informing you that you cannot remove the rule list because it is in use. Click
    Close
    to acknowledge this message, and then click
    Cancel
    in the Delete Rule Lists popup screen. To see where a rule list is used, right click the rule list name and select
    Filter 'related to'
    . A search is performed and any object using the rule list will have a non-zero number appear next to it in the navigation pane on the left. To clear the search, click the
    x
    icon to the right of the search string.

Rule properties

This table describes the properties required when you are configuring network firewall rules.
Property
Description
ID
The evaluation order identifier of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered with the number of the rule list, with the contained rule numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as:
1, 2, 3, 4, 4.1, 4.2, 5
. In the example, 4 represents the rule list, and 4.1 and 4.2 are the rules within that rule list.
Name
In a rule list, the unique, user-provided name for the rule. Alternatively, in a firewall context or firewall policy, a rule list name, preceded by:
Reference_To_
, such as
Reference_To_sys_self_allow_all
.
Address
(Source or Destination)
An IPv4 or IPv6 source or destination IP address, address range, or address list, to which the firewall rule applies.
  • Address
    specifies an IP address. You type a single address in the
    Addresses
    field.
  • Address Range
    specifies a range of IP addresses. You specify the beginning and ending addresses of the range in the areas provided.
  • Address List
    specifies a list that contains IP addresses. You can select the address list from those listed.
  • Domain Name
    specifies a valid domain name.
  • Country/Region
    specifies a country and optionally a region. Once you select a country, the second list automatically updates with all available regions for that country. You can specify
    Unknown
    as the country if needed. Note that geolocation information, such as the country and region, is not supported on the management IP firewall context.
You can specify subnets using forward slash (/) notation using either IPv4 or IPv6, such as
60.63.10.0/24
or
2001:db8:a::/64
. You can also append a route domain to an address using the format %RouteDomainID/Mask. For example,
12.2.0.0%44/16
.
You can add additional addresses, address ranges, address lists, or countries/regions (
Add
) and delete addresses, address ranges, address lists, or countries/regions (
X
). To recover an address that was marked for deletion using
X
, re-enter the address and click
Add
.
Port
(Source or Destination)
Specifies source or destination port entries (ports, port ranges, or port lists) to which the firewall rule applies.
  • Port
    specifies a port number.
  • Port Range
    specifies a range of port numbers. You specify the beginning and ending port numbers in the range in the areas provided.
  • Port List
    specifies a list of port entries, such as ports or port ranges. You can select the port list from those listed.
You can add additional ports, port ranges, or port lists (
Add
) and to delete ports, port ranges, or port lists (
X
). To recover a port that was marked for deletion using
X
, re-enter the port and click
Add
.
VLAN
(Source)
Specifies a VLAN or tunnel from which the packet source originates, to which the rule applies. This VLAN is physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format
partition/VLAN
or
/partition/VLAN
. For example:
Common/external
or
/Common/external
.
Subscriber
(Source)
Select a subscriber or subscriber group to which the rule applies. Leaving all address fields blank applies the rule to all addresses and all ports.
  • ID
    . Type the subscriber ID in the
    Name
    field.
  • Group
    . Type the subscriber Group in the
    Name
    field.
You can specify a wildcard for either subscribers or subscriber groups by selecting
Unknown
or
Uncertain
. The difference between
Unknown
and
Uncertain
is subtle.
Unknown
means that the session has been provisioned (via PCRF) but the subscriber and/or subscriber group is not known.
Uncertain
means that the session has not been provisioned and thus there is no subscriber and/or subscriber group information.
Options are provided to add additional subscribers or subscriber groups. (
Add
) and to delete subscribers or subscriber groups (
X
). To recover a subscriber that was marked for deletion using
X
, re-enter the subscriber and click
Add
. When you are finished, save your work.
Action
Specifies the action taken when the firewall rule is matched, such as whether it is accepted or rejected.
  • Accept
    allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  • Accept decisively
    allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
  • Drop
    drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
  • Reject
    rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
iRule
Specifies an iRule that is applied to the rule. Optionally, you can enter a number in the
Sampling Rate
field to indicate how often to take a sample.
iRules® use syntax based on the industry-standard Tools Command Language (Tcl). For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site,
http://devcentral.f5.com
. Note that iRules must conform to standard Tcl grammar rules. For more information on Tcl syntax, see
http://tmml.sourceforge.net/doc/tcl/index.html
. Note that iRules are not supported on the management IP context.
Protocol
Specifies the IP protocol to compare against the packet.
If you select
ICMP
, or
IPv6-ICMP
, additional fields open where you can specify
Type
and
Code
combinations. If you select
Other
, only a
Type
field is displayed. The default type is
Any
and the default code is
Any
.
The type and code combinations are too numerous to document here. For details, consult the F5 Networks DevCentral site,
http://devcentral.f5.com
, or the documentation for the specific BIG-IP platform.
State
Specifies the activity state of the rule, such as whether it is enabled or disabled.
  • disabled
    specifies that the rule does not apply at all.
  • enabled
    specifies that the system applies the firewall rule to the given context and addresses.
  • scheduled
    specifies that the system applies the rule according to the specified schedule.
Send to Virtual
Specifies a virtual server to which packets matched by the firewall rule classifiers are routed. When a firewall rule is routed to a virtual server, the firewall rule action is not applied. This option is available only for rules on the global, route domain, or self IP context.
Service Policy
Specifies a service policy to associate with a rule. A service policy allows you to associate network idle timers or timer policies with firewall contexts and rules. You can add a service policy to a rule by dragging the service policy from the Shared Objects area onto the Service Policy column for the rule. This field is available with BIG-IP devices version 12.0 or higher.
Log
Specifies whether the firewall software should write a log entry for any packets that match this rule. From the list, select
true
(log an entry), or
false
(do not log an entry).