Applies To:
Show VersionsBIG-IP AFM
- 14.0.1, 14.0.0
Configuring BIG-IP Network Firewall Policies
About firewall policies
The BIG-IP Network Firewall policies combine one or more rules or rule lists, and apply them as a combined policy to one context. You can configure a context to use a specific firewall policy. However, firewall context precedence still applies, so policies applied at the global context still apply, even if they contradict rules applied at a lower precedence context. For example, global policies apply before virtual server policies.
You can apply a Network Firewall policy as a staged policy, while enforcing an existing firewall policy, or no policy. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.
Task list
Creating a Network Firewall policy
Creating a Network Firewall policy rule
Setting a global firewall policy
Configuring a route domain with a firewall policy
Setting network firewall policies for a self IP address
- On the Main tab, click .
- Click on the self IP address to which you want to add a network firewall policy.
- Click the Security tab.
- To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the Enforcement list, select Enabled, and then from the Policy list, select the firewall policy to enforce.
- To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the Staging list, select Enabled, and then from the Policy list, select the firewall policy to stage.
- Click Update to save the changes to the self IP.
Creating a virtual server with a firewall policy
Viewing enforced and staged policy rule logs
With BIG-IP® Advanced Firewall Manager™, you can choose to enforce either inline firewall rules or a firewall policy for a specific context. You can also choose to stage policies for a specific context. Staged policies apply all of the specified firewall rules to the policy context, but do not enforce the firewall action. Therefore, the result of a staged policy is informational only, and the result can be analyzed in the firewall logs.
A staged policy on a particular context might not behave the same after you change it to an enforcement policy. Because there can be multiple staged policies on different contexts, the staged policy results you see (in logs and stats) are actually the aggregate of all staged policies on all contexts. Thus, if you enforce a previously staged policy on one or more contexts, but other staged policies remain on other contexts that you do not enforce, the actual enforced results might differ from what you expected from viewing logs and statistics for staged rules.