Manual Chapter : Managing Service, Timer, and Port Misuse Policies

Applies To:

Show Versions Show Versions
Manual Chapter

Managing Service, Timer, and Port Misuse Policies

About service, timer, and port misuse policies

A
service policy
allows you to associate network idle timers (timer policies) or port misuse policies with firewall contexts and rules.
You can discover a service policy on a BIG-IP device version 12.0, or later. Or you can create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.
A service policy can contain timer policies, or port misuse policies, or both. You create service policies, timer policies, and port misuse policies separately, and then you add the timer policies or port misuse policies to the service policies. Then you associate the service policy with the firewall context or rule.
  • You use a
    timer policy
    , also known as a
    firewall idle timer
    , to configure timer rules. You can discover a timer policy on a BIG-IP device version 12.0, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.0, or later.
  • You use a
    port misuse policy
    to configure a firewall context or rule to detect and drop network connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings. You can discover a port misuse policy on a BIG-IP device version 12.1, or later, or create one on a BIG-IQ Centralized Management system, and then deploy it to a BIG-IP device version 12.1, or later.

Create a timer policy

You create a timer policy containing timer rules to add to a service policy.
  1. Navigate to the Timer Policies screen: Click
    Configuration
    SECURITY
    Network Security
    Timer Policies
    .
  2. Click
    Create
    .
    The New Timer Policy screen opens.
  3. In the
    Name
    field, type a name for the timer policy.
  4. In the
    Description
    field, type an optional description for the timer policy.
  5. If needed, change the default
    Common
    partition in the
    Partition
    field.
  6. To add timer rules, click the
    Rules
    on the left, and click
    Create Rule
    .
    A new rule is displayed with default name and values.
  7. Click the edit icon to the left of the new rule to enable editing for the rule fields.
  8. In the
    Name
    field, you may specify a more meaningful name than the default.
  9. From the
    Protocol
    list, select the protocol to be used.
    If you select
    all-other
    , the rule will apply to all protocols not specified in another timer rule in the policy.
  10. From the
    Destination Ports
    list, specify the one or more ports to use, if necessary. The default is to use any port.
    • Select
      Port
      to specify an individual port: type the port in the field provided, and then click
      Add
      . You can enter multiple individual ports, one at a time.
      Enter 0 as the port value to specify all other ports that have not been specified using
      Port
      or
      Port Range
      .
    • Select
      Port Range
      to specify a range of ports: type the beginning port in the first field, and the ending port of the range in the second field provided, and then click
      Add
      . You can enter multiple ports ranges, one at a time.
    • Select
      All Other
      to specify all other ports that have not been specified using
      Port
      or
      Port Range
      .
  11. From the
    Idle Timeout
    list, select the timeout option for the selected protocol.
    • Select
      Specify
      to specify the timeout for this protocol, in seconds. Type the number of seconds in the field provided.
    • Select
      Immediate
      to immediately apply this timeout to the protocol.
    • Select
      Indefinite
      to specify that this protocol never times out.
    • Select
      Unspecified
      to specify no timeout for the protocol. When this is selected, the system uses the default timeout for the protocol.
  12. Save your changes.
The timer policy is now configured.
You now need to add the timer policy to a service policy.

Clone a timer policy

Using the clone function, you can make a copy of a timer policy, and then modify it.
  1. Navigate to the Timer Policies screen: click
    Configuration
    SECURITY
    Network Security
    Timer Policies
    .
  2. Select the check box to the left of any timer policy you want to clone.
  3. Click
    Clone
    .
The system displays the New Timer Policy screen with the cloned policy displayed.

Delete a timer policy

You can delete obsolete timer policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Navigate to the Timer Policies screen: click
    Configuration
    SECURITY
    Network Security
    Timer Policies
    .
  2. Select the check box to the left of any timer policy that you want to remove.
  3. Click
    Delete
    .
  4. Confirm that you want to remove the timer policy by clicking
    Delete
    in the confirmation dialog box.
The system removes the selected timer policies.

Create a port misuse policy

You create a port misuse policy containing port misuse rules to add to a service policy.
  1. Go to the Port Misuse Policies screen: Click
    Configuration
    SECURITY
    Network Security
    Port Misuse Policies
    .
  2. Click
    Create
    .
    The New Port Misuse Policy screen opens.
  3. Type a name and an optional description for the port misuse policy.
  4. If needed, change the default
    Common
    partition in the
    Partition
    field.
  5. In the
    Default Actions
    row, select the default actions to occur when port misuse is detected. You can select none, one, or both options.
    • Select
      Drop on Service Mismatch
      to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select
      Log on Service Mismatch
      to set a policy default that logs service and port mismatches.
  6. To add port misuse rules, on the left, click
    Rules
    , and then click
    Create Rule
    .
    The screen displays a new port misuse rule with default name and values.
  7. Click the edit icon to the left of the name of the new rule to enable editing for the rule fields.
  8. In the
    Name
    field, you may specify a more meaningful name than the default.
  9. In the
    Port
    field, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select
    Other
    and specify a port number. The default port number is automatically supplied for the common ports.
  10. In the
    IP Protocol
    field, select the IP protocol for the port matching rule.
  11. In the
    Service
    field, select the service to use.
    This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if
    Drop on Service Mismatch
    is applied to this rule.
    You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  12. In the
    Drop on Service Mismatch
    list, select the drop behavior.
    • Select
      Yes
      to drop packets when the service does not match the port.
    • Select
      No
      to allow packets when the service does not match the port.
    • Select
      Use Policy Default
      to use the default action for packet drops, when the service does not match the port.
  13. In the
    Log on Service Mismatch
    list, select the behavior for logging packet drops.
    • Select
      Yes
      to log dropped packets when the service does not match the port.
    • Select
      No
      to not log packet drops when the service does not match the port.
    • Select
      Use Policy Default
      to use the default action for logging packet drops, when the service does not match the port.
  14. Save your changes.
You have configured the port misuse policy.
You now can add the port misuse policy to a service policy.

Clone a port misuse policy

Using the clone option, you can make a copy of a port misuse policy that you can modify.
  1. Navigate to the Port Misuse Policies screen: click
    Configuration
    SECURITY
    Network Security
    Port Misuse Policies
    .
  2. Select the check box to the left of any port misuse policy you want to clone.
  3. Click
    Clone
    .
The system displays the New Port Misuse Policy screen with the cloned policy displayed.

Delete a port misuse policy

You can delete obsolete port misuse policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Navigate to the Port Misuse Policies screen: click
    Configuration
    SECURITY
    Network Security
    Port Misuse Policies
    .
  2. Select the check box to the left of any port misuse policy that you want to remove.
  3. Click
    Delete
    .
  4. Confirm that you want to remove the port misuse policy by clicking
    Delete
    in the confirmation dialog box.
The system removes the selected port misuse policy.

Create a service policy

You create a service policy to contain timer policies, port misuse policies, or both. Service policies can be applied to firewall contexts and added to a rule in a rule list or a rule on a security policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Service Policies
    .
  2. Click
    Create
    .
    The New Service Policy screen opens.
  3. In the
    Name
    field type a name for the service policy.
  4. If needed, change the default
    Common
    partition in the
    Partition
    field.
  5. In the
    Description
    field, type an optional description for the service policy.
  6. If needed, select a timer policy from those listed in the
    Timer Policy
    list.
    If no timer policy is listed, create one and then assign it to the service policy.
  7. If needed, select a port misuse policy from those listed in the
    Port Misuse Policy
    list.
    If no port misuse policy is listed, create one and then assign it to the service policy.
  8. Save your changes.
You have defined the service policy. You can now assign it to a firewall context. You can also add it to a rule in a rule list, or a rule on a security policy.

Clone a service policy

Using the clone option, you can make a copy of a service policy to modify..
  1. Go to the Service Policies screen: Click
    Configuration
    SECURITY
    Network Security
    Service Policies
    .
  2. Select the check box to the left of any service policy you want to clone.
  3. Click
    Clone
    .
The system displays the New Service Policy screen with the cloned policy displayed.

Deploy a service policy

You can do a partial deployment of only a service policy instead of an entire configuration.
  1. Go to the Service Policies screen: Click
    Configuration
    SECURITY
    Network Security
    Service Policies
    .
  2. Select the check box to the left of any service policy you want to deploy.
  3. Click
    Deploy
    .
The system displays the New Deployment - Network Security screen with the selected service policy on it. You can now continue the deployment process.

Delete a service policy

You can delete service policies that are no longer used, to simplify your view, using the Service Policies screen.
  1. Click
    Configuration
    SECURITY
    Network Security
    Service Policies
    .
  2. Select the check box to the left of any service policy you want to remove.
  3. Click
    Delete
    .
  4. In the confirmation dialog box, click
    Delete
    to confirm that you want to remove the service policy.
The system removes the selected service policies.

Apply a service policy to a firewall context

You apply a service policy to a firewall context to use a timer or port misuse policy with that context.
  1. Navigate to the Contexts screen: Click
    Configuration
    SECURITY
    Network Security
    Contexts
    .
  2. Click the name of the context to open it for editing.
  3. Add the service policy to the Service Policy row:
    1. Click
      Add Service Policy
      .
    2. From the popup screen select the service policy to add.
    3. Click
      Select
      .
    You can also add a service policy by selecting
    Service Policies
    in the Shared Objects list, and then dragging one of the displayed service policies and dropping it onto the Service Policy row. To remove a service policy, click the
    X
    to the right of the service policy name in the Service Policy row.
  4. Save your changes.
The service policy is now associated with the context.

Apply a service policy to a firewall rule

You apply a service policy to a firewall rule to apply timer policies or port misuse policies to traffic that is matched by the firewall rule. The rule can be associated with a rule list or with a firewall security policy.
  1. Display the list of rules from a rule list or from a firewall security policy.
    If the rule is in a rule list:
    Navigate to the Rule Lists screen: click
    Configuration
    SECURITY
    Network Security
    Rule Lists
    . Click the name of the rule list containing the rule. The screen lists the rules.
    If the rule is associated with a policy:
    Navigate to the Firewall Policies screen: click
    Configuration
    SECURITY
    Network Security
    Firewall Policies
    . Click the name of the policy containing the rule. The screen lists the rules.
  2. To make it editable, click the edit icon to the left of the name of the rule to which you want to add the service policy.
  3. Add the service policy to the rule.
    Add the service policy by typing.
    Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name.
    Add the service policy by drag and drop.
    In the Shared Objects area, select
    Service Policies
    , and then drag the service policy from that list and drop it into the Service Policy column for the rule.
  4. Save your changes.
The service policy is added to the rule.