Manual Chapter :
Managing Service, Timer, and Port Misuse
Policies
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing Service, Timer, and Port Misuse
Policies
About service, timer, and port misuse policies
A
service policy
allows you to associate network idle timers (timer policies) or port misuse policies with firewall contexts and rules.You can discover a service policy on a BIG-IP device version 12.0, or later. Or you can create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.
A service policy can contain timer policies, or port misuse policies, or both. You create service policies, timer policies, and port misuse policies separately, and then you add the timer policies or port misuse policies to the service policies. Then you associate the service policy with the firewall context or rule.
- You use atimer policy, also known as afirewall idle timer, to configure timer rules. You can discover a timer policy on a BIG-IP device version 12.0, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.
- You use aport misuse policyto configure a firewall context or rule to detect and drop network connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings. You can discover a port misuse policy on a BIG-IP device version 12.1, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.1, or later.
Create a timer policy
You create a timer policy containing
timer rules to add to a service policy.
- Navigate to the Timer Policies screen: Click.
- ClickCreate.The New Timer Policy screen opens.
- In theNamefield, type a name for the timer policy.
- In theDescriptionfield, type an optional description for the timer policy.
- If needed, change the defaultCommonpartition in thePartitionfield.
- To add timer rules, click theRuleson the left, and clickCreate Rule.A new rule is displayed with default name and values.
- Click the edit icon to the left of the new rule to enable editing for the rule fields.
- In theNamefield, you may specify a more meaningful name than the default.
- From theProtocollist, select the protocol to be used.If you selectall-other, the rule will apply to all protocols not specified in another timer rule in the policy.
- From theDestination Portslist, specify the one or more ports to use, if necessary. The default is to use any port.
- SelectPortto specify an individual port: type the port in the field provided, and then clickAdd. You can enter multiple individual ports, one at a time.Enter 0 as the port value to specify all other ports that have not been specified usingPortorPort Range.
- SelectPort Rangeto specify a range of ports: type the beginning port in the first field, and the ending port of the range in the second field provided, and then clickAdd. You can enter multiple ports ranges, one at a time.
- SelectAll Otherto specify all other ports that have not been specified usingPortorPort Range.
- From theIdle Timeoutlist, select the timeout option for the selected protocol.
- SelectSpecifyto specify the timeout for this protocol, in seconds. Type the number of seconds in the field provided.
- SelectImmediateto immediately apply this timeout to the protocol.
- SelectIndefiniteto specify that this protocol never times out.
- SelectUnspecifiedto specify no timeout for the protocol. When this is selected, the system uses the default timeout for the protocol.
- Save your changes.
The timer policy is now
configured.
You now need to add the timer policy
to a service policy.
Clone a timer policy
Using the clone function, you can
make a copy of a timer policy, and then modify it.
- Navigate to the Timer Policies screen: click.
- Select the check box to the left of any timer policy you want to clone.
- ClickClone.
The system displays the New Timer
Policy screen with the cloned policy displayed.
Delete a timer policy
You can delete obsolete timer
policies that are no longer used by a service policy to avoid clutter in the user
interface.
- Navigate to the Timer Policies screen: click.
- Select the check box to the left of any timer policy that you want to remove.
- ClickDelete.
- Confirm that you want to remove the timer policy by clickingDeletein the confirmation dialog box.
The system removes the selected timer
policies.
Create a port misuse policy
You create a port misuse policy
containing port misuse rules to add to a service policy.
- Go to the Port Misuse Policies screen: Click.
- ClickCreate.The New Port Misuse Policy screen opens.
- Type a name and an optional description for the port misuse policy.
- If needed, change the defaultCommonpartition in thePartitionfield.
- In theDefault Actionsrow, select the default actions to occur when port misuse is detected. You can select none, one, or both options.
- SelectDrop on Service Mismatchto set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
- SelectLog on Service Mismatchto set a policy default that logs service and port mismatches.
- To add port misuse rules, on the left, clickRules, and then clickCreate Rule.The screen displays a new port misuse rule with default name and values.
- Click the edit icon to the left of the name of the new rule to enable editing for the rule fields.
- In theNamefield, you may specify a more meaningful name than the default.
- In thePortfield, select a port for the port matching rule.You can select from a list of commonly used ports, or selectOtherand specify a port number. The default port number is automatically supplied for the common ports.
- In theIP Protocolfield, select the IP protocol for the port matching rule.
- In theServicefield, select the service to use.This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, ifDrop on Service Mismatchis applied to this rule.You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
- In theDrop on Service Mismatchlist, select the drop behavior.
- SelectYesto drop packets when the service does not match the port.
- SelectNoto allow packets when the service does not match the port.
- SelectUse Policy Defaultto use the default action for packet drops, when the service does not match the port.
- In theLog on Service Mismatchlist, select the behavior for logging packet drops.
- SelectYesto log dropped packets when the service does not match the port.
- SelectNoto not log packet drops when the service does not match the port.
- SelectUse Policy Defaultto use the default action for logging packet drops, when the service does not match the port.
- Save your changes.
You have configured the port misuse
policy.
You now can add the port misuse
policy to a service policy.
Clone a port misuse policy
Using the clone option, you can make
a copy of a port misuse policy that you can modify.
- Navigate to the Port Misuse Policies screen: click.
- Select the check box to the left of any port misuse policy you want to clone.
- ClickClone.
The system displays the New Port
Misuse Policy screen with the cloned policy displayed.
Delete a port misuse policy
You can delete obsolete port misuse
policies that are no longer used by a service policy to avoid clutter in the user
interface.
- Navigate to the Port Misuse Policies screen: click.
- Select the check box to the left of any port misuse policy that you want to remove.
- ClickDelete.
- Confirm that you want to remove the port misuse policy by clickingDeletein the confirmation dialog box.
The system removes the selected port
misuse policy.
Create a service policy
You create a service policy to
contain timer policies, port misuse policies, or both. Service policies can be applied
to firewall contexts and added to a rule in a rule list or a rule on a security
policy.
- Click.
- ClickCreate.The New Service Policy screen opens.
- In theNamefield type a name for the service policy.
- If needed, change the defaultCommonpartition in thePartitionfield.
- In theDescriptionfield, type an optional description for the service policy.
- If needed, select a timer policy from those listed in theTimer Policylist.If no timer policy is listed, create one and then assign it to the service policy.
- If needed, select a port misuse policy from those listed in thePort Misuse Policylist.If no port misuse policy is listed, create one and then assign it to the service policy.
- Save your changes.
You have defined the service policy.
You can now assign it to a firewall context. You can also add it to a rule in a rule
list, or a rule on a security policy.
Clone a service policy
Using the clone option, you can make
a copy of a service policy to modify..
- Go to the Service Policies screen: Click.
- Select the check box to the left of any service policy you want to clone.
- ClickClone.
The system displays the New Service
Policy screen with the cloned policy displayed.
Deploy a service policy
You can do a partial deployment of
only a service policy instead of an entire configuration.
- Go to the Service Policies screen: Click.
- Select the check box to the left of any service policy you want to deploy.
- ClickDeploy.
The system displays the New
Deployment - Network Security screen with the selected service policy on it. You can
now continue the deployment process.
Delete a service policy
You can delete service policies that
are no longer used, to simplify your view, using the Service Policies screen.
- Click.
- Select the check box to the left of any service policy you want to remove.
- ClickDelete.
- In the confirmation dialog box, clickDeleteto confirm that you want to remove the service policy.
The system removes the selected
service policies.
Apply a service policy to a firewall
context
You apply a service policy to a
firewall context to use a timer or port misuse policy with that context.
- Navigate to the Contexts screen: Click.
- Click the name of the context to open it for editing.
- Add the service policy to the Service Policy row:
- ClickAdd Service Policy.
- From the popup screen select the service policy to add.
- ClickSelect.
You can also add a service policy by selectingService Policiesin the Shared Objects list, and then dragging one of the displayed service policies and dropping it onto the Service Policy row. To remove a service policy, click theXto the right of the service policy name in the Service Policy row. - Save your changes.
The service policy is now associated
with the context.
Apply a service policy to a firewall
rule
You apply a service policy to a
firewall rule to apply timer policies or port misuse policies to traffic that is matched
by the firewall rule. The rule can be associated with a rule list or with a firewall
security policy.
- Display the list of rules from a rule list or from a firewall security policy.If the rule is in a rule list:Navigate to the Rule Lists screen: click. Click the name of the rule list containing the rule. The screen lists the rules.If the rule is associated with a policy:Navigate to the Firewall Policies screen: click. Click the name of the policy containing the rule. The screen lists the rules.
- To make it editable, click the edit icon to the left of the name of the rule to which you want to add the service policy.
- Add the service policy to the rule.Add the service policy by typing.Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name.Add the service policy by drag and drop.In the Shared Objects area, selectService Policies, and then drag the service policy from that list and drop it into the Service Policy column for the rule.
- Save your changes.
The service policy is added to the
rule.