Manual Chapter : Managing Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0
Manual Chapter

Managing Firewall Policies

About firewall policies

A
firewall policy
is a set of rules, or rule lists, or both. BIG-IP network firewalls use policies to specify traffic-handling actions and to define the parameters for filtering network traffic. You can assign rule lists, or a policy to a firewall. Policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.
When you are managing clustered BIG-IP devices in the BIG-IQ Centralized Management system, avoid assigning a firewall policy to a cluster member that is a non-floating self IP. Doing so may cause unexpected results when performing partial deployments and other actions.
The network software compares IP packets to the criteria specified in policies. If a packet matches the criteria, then the system takes the action specified by the policy. If a packet does not match any rule in the policy, the software accepts the packet or passes it to the next policy, rule, or rule list.
In Network Security, the Policies list displays the policies available for assignment to firewalls.
You can configure firewall policies as enforced or staged:
  • An
    enforced
    policy refers to a policy whose actions are executed. Actions include: accept, accept decisively, drop, and reject.
    You are restricted to assigning a single, enforced policy on any specific firewall.
  • A
    staged
    policy refers to a policy that is evaluated but policy actions are not enforced. All activity is logged.
    You are restricted to assigning a single, staged policy on any specific firewall. You can have rule lists assigned to a firewall (in the enforced area) and have a configured staged policy on that firewall. You cannot have rule lists in the staged area.
You can stage a firewall policy first and then examine logs to determine how the policy has affected traffic. Then you can determine the timing for turning the policy from staged to enforced.
Firewall policies can contain any combination of rules and rule lists. Policies cannot contain other policies. You can re-order rules within a policy.
The Network Security system is aware of functionality implemented in one BIG-IP software version but not in another. In terms of firewall policies, this means that you are prohibited from dropping a policy onto a firewall on a BIG-IP device that does not have the software version required to support it.

Filtering policies

To filter the system interface to display only those objects related to a selected policy, hover over the policy name, right-click and then click
Filter 'related to'
. The interface is filtered and a count appears to the right of each object type. The frame to the right provides its own filter field where you can enter text and click on the filter icon to constrain the display to those items that match the filter.

Creating firewall policies

To fine tune your network firewalls, you can configure policies and assign them to firewalls using the Firewall Policies screen Rules & Rule Lists settings.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Firewall Policies
    .
  2. Click
    Create
    to open the New Firewall Policies screen.
  3. Click
    Properties
    and complete the properties fields as required.
    All boxes outlined in gold are required fields.
    Name
    User-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.
    Description
    Optional description for the policy.
    Partition
    Although it is pre-populated with
    Common
    (default), you can set the partition when creating or cloning policies by typing a unique partition name.
    The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name. No editing of the partition is allowed.
    Application Templates
    Select whether the policy is available to application templates. To make this policy available to application templates, select
    Make available in Application Templates
    .
  4. Click
    Rules
    , and then click either:
    • Create Rule
      to create rules.
    • Add Rule List
      to add rule lists.
  5. Click
    Save
    to save the firewall policy, or click
    Save & Close
    to save the firewall policy and return to the Firewall Policies screen.
A new firewall policy is added.

Cloning firewall policies

Cloning
creates an exact copy with a different name. It enables you to quickly and easily create firewall policies tailored to address any unique aspects of your network firewall environment. When you clone a firewall policy, you create an exact copy of the policy which you can then edit to address any special considerations.
Users with the roles of Network Security Viewer or Network Security Deployer cannot clone policies.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Firewall Policies
    .
  2. On the left, click
    Firewall Policies
    to see the list of firewall policies.
  3. Select a firewall policy in the list using the check box on the left and click
    Clone
    to copy and modify an existing firewall policy.
  4. Click
    Properties
    and complete the properties fields as required.
    All boxes outlined in gold are required fields.
    Name
    User-provided name for the policy. This field is editable when creating or cloning a policy, and read-only when editing a policy.
    Description
    Optional description for the policy.
    Partition
    Although it is pre-populated with
    Common
    (default), you can set the partition when creating or cloning policies by typing a unique partition name.
    The partition with that name must already exist on the BIG-IP device.
    No whitespace is allowed in the partition name. No editing of the partition is allowed.
    Application Templates
    Select whether the policy is available to application templates. To make this policy available to application templates, select
    Make available in Application Templates
    .
  5. Click
    Rules
    , and then click either:
    • Create Rule
      to create rules.
    • Add Rule List
      to add rule lists.
  6. Click
    Save
    to save the firewall policy, or click
    Save & Close
    to save the firewall policy and return to the Firewall Policies page.
The cloned policy appears in the Firewall Policies screen. In an HA configuration, the cloned policy appears on the standby BIG-IQ system as soon as it is saved.

Deploy firewall policies

If you want to do a quicker deployment by only deploying the firewall policy portion of a configuration, you can do a partial deployment of the firewall policy, instead of deploying the entire configuration.
  1. Click
    Configuration
    SECURITY
    Network Security
    Firewall Policies
    .
    The Firewall Policies screen opens.
  2. Click the check box next to the firewall policy you want included in the partial deployment.
  3. Click
    Deploy
    .
The system displays the selected firewall policy, with options for partial deployment selected.
Continue the partial deployment process.

Rename firewall policies

You rename a firewall policy when you want to make that name more accurate or distinct. Renaming a firewall policy causes a new firewall policy to be created and the old firewall policy to be deleted in a single transaction. All references to the old firewall policy are updated to refer to the renamed firewall policy.
  1. Click
    Configuration
    SECURITY
    Network Security
    Firewall Policies
    .
  2. Select the check box next to the firewall policy to rename.
  3. Click
    More
    Rename
    .
    A dialog box displays.
  4. Enter the new name in the dialog box and click
    Save
    .
    The BIG-IQ system shows the status of the renaming operation in the dialog box.
  5. Click
    Close
    to exit the dialog box.
The firewall policy has been renamed.

Make firewall policies available in application templates

You make a firewall policy available to application templates so that it can be used to create applications.
  1. Click
    Configuration
    SECURITY
    Network Security
    Firewall Policies
    .
  2. Select the check box next to the firewall policy to add to the application template.
  3. Click
    More
    Make available for templates
    .
    A dialog box displays.
  4. Confirm that you want to make the policy available to templates and click
    Save
    .
    The BIG-IQ system shows the status of the operation in the dialog box.
The firewall policy is now available to application templates. Note that the policy now has
Yes
as the value in the Available to Application Templates column. To remove this policy from application templates, click
More
Make unavailable for templates
.

Reorder rules in firewall policies

Using the Firewall Policies screen, you can reorder rules in firewall policies to optimize your network firewall policies by reordering rules to change the order in which they are evaluated. Rules are evaluated from top to bottom in the list (lowest Id number first, highest Id number last).
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Firewall Policies
    .
  2. Click the name of the firewall policy to edit.
  3. Click
    Rules
    .
  4. To reorder rule lists or rules, drag and drop them until they are in the correct order.
    You can also right-click a rule row and select among the ordering options.
    You can use
    Copy Rule
    and then paste rules between policies. However, if you use
    Cut Rule
    and then paste between policies, the cut rule will not be removed from the policy.
  5. Click
    Save
    to save your changes.
  6. When you are finished, click
    Save & Close
    to save your edits, and return to the Firewall Policies screen.

Deleting firewall policies

You can remove obsolete firewall policies to keep network firewalls up-to-date.
If a firewall policy is in use, you cannot remove it.
To see where a firewall policy is used, right click the firewall policy name and click
Filter 'related to'
. The BIG-IQ system displays a count of where the policy is used in the list to the left.
  1. Click
    Configuration
    SECURITY
    Network Security
    Network Firewall
    Firewall Policies
    .
  2. On the left, click
    Firewall Policies
    to see the list of firewall policies.
  3. Select the firewall policy to be deleted using the check box to the left of the firewall policy.
  4. Click
    Delete
    and then confirm the permanent removal in the popup dialog box.
The policy is deleted and no longer occurs in the list of firewall policies.