Manual Chapter : Configuring BIG-IP Network Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.0.1, 14.0.0
Manual Chapter

Configuring BIG-IP Network Firewall Policies

About firewall policies

The BIG-IP Network Firewall policies combine one or more rules or rule lists, and apply them as a combined policy to one context. You can configure a context to use a specific firewall policy. However, firewall context precedence still applies, so policies applied at the global context still apply, even if they contradict rules applied at a lower precedence context. For example, global policies apply before virtual server policies.

Note: Global firewall rules are included in an automatic policy called Global.

You can apply a Network Firewall policy as a staged policy, while enforcing an existing firewall policy, or no policy. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.

Task list

Creating a Network Firewall policy

Create a BIG-IP Network Firewall policy to collect and apply one or more firewall rules or rule lists globally, to a virtual server, route domain, or self IP address.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click Create to create a new policy.
  3. Type a name and optional description for the firewall policy.
  4. Click Finished.
The Policies screen shows the new policy in the policy list.
Define firewall rules and rule lists for the policy to affect traffic.

Creating a Network Firewall policy rule

If you are going to specify address lists or port lists to use with this rule, you must create these lists before creating the firewall policy rule, or add them after you save the policy rule.
You create a Network Firewall policy rule to manage access from an IP or web network address to a specified network location, server, or address behind a BIG-IP system.
Note: You cannot add rules created with this task to a rule list at a later time. You must create rules for a rule list from within the rule list. Similarly, you cannot use the rules created in a policy to apply as inline rules in another context, although you can use rule lists in a policy rule.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of the network firewall policy to which you want to add rules.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Type list, select whether you are creating a standalone network firewall policy rule or creating a rule list.
    Note: If you create a firewall policy rule list, only the Name, Description, Order, Rule List, and Stateoptions apply, and you must select or create a rule list to include.
  6. From the State list, select the rule state.
    • Select Enabled to apply the firewall policy rule or rule list to the addresses and ports specified.
    • Select Disabled to set the firewall policy rule or rule list to not apply at all.
    • Select Scheduled to apply the firewall policy rule or rule list according to the selected schedule.
  7. If you select Scheduled, from the Schedule list, select the schedule for the firewall policy rule.
    This schedule is applied when the firewall policy rule state is set to Scheduled.
    Note: You cannot save a scheduled rule when the firewall compilation or deployment mode is manual.
  8. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  9. In the Source list, specify addresses and geolocated sources to which this rule applies.
    • From the Address/Region list, select Any to have the rule apply to any packet source IP address or geographic location.
    • From the Address/Region list, select Specify and click Address to specify one or more packet source IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the Address field, then click Add to add them to the address list.
    • From the Address/Region list, select Specify and click Address List to select a predefined list of packet source addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • From the Address/Region list, select Specify and click Address Range to specify a contiguous range of packet source IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • From the Address/Region list, select Specify and click Country/Region to identify the geographic origin of packet sources, and to apply rules based on selected geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Source address list.
  10. From the Source Port list, select the type of packet source ports to which this rule applies.
    • Select Any to have the rule apply to any packet source port.
    • Select Specify and click Port to specify one or more packet source ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet source port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet source ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  11. From the Source VLAN/Tunnel list, select the VLAN on which this rule applies.
    • Select Any to have the rule apply to traffic on any VLAN through which traffic enters the firewall.
    • Select Specify to specify one or more VLANs on the firewall to which the rule applies. To use a VLAN with this rule, move the VLAN from the Available list to the Selected list. Similarly, you can remove the VLAN from this rule, by moving the VLAN from the Selected list to the Available list.
  12. In the Destination area and from the Address/Region list, select the type of packet destination address to which this rule applies.
    • Select Any to have the rule apply to any IP packet destination address.
    • Select Specify and click Address to specify one or more packet destination IP addresses or fully qualified domain names (FQDNs) to which the rule applies. When selected, you can type single IP addresses or FQDNs into the Address field, then click Add to add them to the address list.
    • Select Specify and click Address List to select a predefined list of packet destination addresses to which the rule applies. To use an address list with this rule, select the address list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
    • Select Specify and click Address Range to specify a contiguous range of packet destination IP addresses to which the rule applies. When selected, you can type a start and end IP address in the fields, then click Add to add the IP address range to the address list.
    • Select Specify and click Country/Region to identify the geographic packet destination, and to apply rules based on specific geographic locations. When selected, a field appears in which you can select a country. For many countries, an extra field appears after you select the country, in which you can select a state or province. If you do not select a specific state or province, the entire country is selected. After you select a geographic location, click Add to add it to the Destination address list.
  13. From the Destination Port list, select the type of packet destination ports to which this rule applies.
    • Select Any to have the rule apply to any port inside the firewall.
    • Select Specify and click Port to specify one or more packet destination ports to which the rule applies. When selected, you can type single port numbers into the Port field, then click Add to add them to the port list.
    • Select Specify and click Port Range to specify a list of contiguous packet destination port numbers to which the rule applies. When selected, you can type the start and end ports into the fields, then click Add to add the ports to the port list.
    • Select Specify and click Port List to select a predefined list of packet destination ports to which the rule applies. To use a port list with this rule, select the port list and click the Add button. Similarly, to remove the list from this rule, select the list and click the Delete button.
  14. Optionally, to apply an iRule to traffic matched by this rule, from the iRule list, select an iRule.
  15. When you select an iRule to start in a firewall rule, you can enable iRule sampling, and select how frequently the iRule is started, for sampling purposes. The value you configure is one out of n times the iRule is triggered. For example, to trigger the iRule one out of every five times the rule matches a flow, select Enabled, then set this field to 5.
  16. Optionally, to send traffic matched by this rule to a specific virtual server, from the Send to Virtual list, select the virtual server.
    Important: Traffic that is sent to a virtual server is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  17. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  18. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  19. From the Action list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Option Description
    Accept Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  20. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  21. Click Finished.
    The list screen and the new item are displayed.
The new firewall policy rule is created.

Setting a global firewall policy

You can assign a firewall policy globally, to provide policy-based network firewall actions at the device level.
Note: To configure a clean-up rule for logging purposes, when IPv6 pool members are configured on the BIG-IP, you must add a specific rule that allows access from the pool member network to the BIG-IP. This rule must allow ICMPv6 protocol 136 (Neighbor Advertisement). This allows the IPv6 pool members to show neighbor table and monitor as available.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. Under Active Network Firewall Rules, click the Global link.
    The Global Firewall Rules screen opens.
  3. To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from the Enforcement list, select Enabled and then select the firewall policy to enforce from the Policy list.
  4. To stage rules from a firewall policy in the selected context, in the Network Firewall area: from the Staging list, select Enabled and then select the firewall policy to stage from the Policy list.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Configuring a route domain with a firewall policy

Before you can configure a route domain with a firewall policy, you need a pre-existing route domain.
Route domains are useful for multi-tenant configurations. You can set firewall policies for enforcement and staging on an existing route domain, and create a route domain on a BIG-IP system to segment (isolate) traffic on your network.
Note: To configure a clean-up rule for logging purposes, when IPv6 pool members are configured on the BIG-IP, you must add a specific rule that allows access from the pool member network to the BIG-IP. This rule must allow ICMPv6 protocol 136 (Neighbor Advertisement). This allows the IPv6 pool members to show the neighbor table and monitor as available.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. Click the name of the route domain to show the route domain configuration.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the route domain: in the Network Firewall area: from the Enforcement list, select Enabled and then select the firewall policy to enforce from the Policy list.
  5. To stage rules from a firewall policy on the route domain: in the Network Firewall area, from the Staging list, select Enabled and then select the firewall policy to stage from the Policy list.
  6. Click Update to save the changes to the route domain.

Setting network firewall policies for a self IP address

Ensure that you have created a self IP address.
You can enforce or stage a firewall policy at the self IP context. Stage a firewall policy to verify the results of the firewall policy in the logs without affecting traffic.
  1. On the Main tab, click Network > Self IPs .
  2. Click on the self IP address to which you want to add a network firewall policy.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the Enforcement list, select Enabled, and then from the Policy list, select the firewall policy to enforce.
  5. To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the Staging list, select Enabled, and then from the Policy list, select the firewall policy to stage.
  6. Click Update to save the changes to the self IP.
The selected self IP now enforces or stages rules according to your selections.

Creating a virtual server with a firewall policy

You can create a virtual server with a firewall policy, to provide policy-based network firewall actions at the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type * or select * All Ports from the list.
  6. Click Finished.
  7. Click the name of the virtual server you want to modify.
  8. On the menu bar, click Security > Policies .
    The screen displays policy settings for the virtual server.
  9. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the Enforcement list, select Enabled, then select the firewall policy to enforce from the Policy list.
  10. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
  11. Click Update to save the changes.
The policy rules you selected are enforced on the virtual server. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Viewing enforced and staged policy rule logs

With BIG-IP® Advanced Firewall Manager™, you can choose to enforce either inline firewall rules or a firewall policy for a specific context. You can also choose to stage policies for a specific context. Staged policies apply all of the specified firewall rules to the policy context, but do not enforce the firewall action. Therefore, the result of a staged policy is informational only, and the result can be analyzed in the firewall logs.

A staged policy on a particular context might not behave the same after you change it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts, but other staged policies remain on other contexts that you do not enforce, the actual enforced results might differ from what you expected from viewing logs and statistics for staged rules.

Important: You must enable logging for a policy, if you want to view the results of staged or enforced rules in the logs.

Viewing Network Firewall enforced policy events on the local BIG-IP system

Ensure that the BIG-IP system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. To search for enforced policy events, in the search field, type Enforced, then click Search.
  3. To narrow your search for enforced events, click Custom Search. Drag the Enforced text from the Policy Type column to the custom search table. Narrow your search further by dragging other items from the log display, for example, from the action, policy, or rule columns. the event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.

Viewing Network Firewall staged policy events on the local BIG-IP system

Ensure that the BIG-IP system is configured to log the types of events you want to view, and to store the log messages locally on the BIG-IP system.
When the BIG-IP system is configured to log events locally, you can view those events using the Configuration utility.
Important: You must enable logging for a policy, if you want to view the results of staged or enforced rules in the logs.
  1. On the Main tab, click Security > Event Logs > Network > Firewall .
    The Network Firewall event log displays.
  2. To search for staged policy events, in the search field, type Staged, then click Search.
  3. To narrow your search for staged policy events, click Custom Search. Drag the Staged text from the Policy Type column to the custom search table. Narrow your search further by dragging other items from the log display. For example, from the action, policy, or rule columns, you can drag event data that you want to search for from the Event Log table into the Custom Search table, and then click Search.