Manual Chapter : Policies and Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Policies and Rules

About policies and rules

AFM Network Firewall uses industry standard firewall policies containing ordered lists of firewall rules or rule lists. Network Firewall policies control network access to your data center using the criteria specified in the associated rules or rule lists. Once created, BIG-IP AFM network firewall policies are applied to BIG-IP system access points, or contexts, such as a virtual server, Self IP address or the entire device at the global context.

Staging policies

You can also stage a firewall policies in any contexts. This allows you to view hit rate statistics and verify the potential impact a new policy may have on traffic processing.

Management port

Management port rules are configured directly on the management port context itself, as a result, policies can not be associated with the management port.

About AFM Network Firewall contexts

Because AFM Network Firewall policies can be applied to a variety of different contexts and policies may at times overlap, it is important to understand the order of processing for each context.

Order processed Firewall context Description
1st Global Applies to all traffic being processed.
2nd Route Domain Applies to a specific route domain.
3rd Virtual Server/Self IP Applies to a virtual server or Self IP address.
Independent Management Port Applied to the BIG-IP system management port.

AFM Network Firewall processes policies in order, progressing from the global, to the route domain, and then to the virtual server/Self IP context. Management port rules are processed separately. You can enforce a firewall policy on any context except the management port.

AFM Network Firewall rule actions

These listed actions are available in a firewall rule.

AFM Network Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.

Firewall action Description
Accept Packets that match the rule are accepted and traverse the system as if the firewall is not present.
Drop Packets that match the rule are dropped. Dropping a packet is a silent action with no notification to the source system. This causes the connection to be retried until the retry threshold is reached.
Reject Packets that match the rule are rejected. Rejecting a more graceful way to deny packets as it sends a destination unreachable message to the source system.
Accept Decisively Packets that match the rule are accepted decisively and traverse the system as if the firewall is not present. Packets are not processed by rules in any further context after the accept decisively action applies. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from Network A to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server.

AFM Network Firewall rule UUIDs

To improve troubleshooting and auditing, firewall rules can be identified using a 32 character Universally Unique Identification Number (UUID). For example:

01727c12-8c34-69cc-1ec2-160b2d2014aa

The following table lists some of the UUID behaviors as they relate to the BIG-IP system.

System Feature Description
High-availability (HA) UUIDs are shared between devices in an HA configuration
Configuration UUIDs remain in the configuration. They can be restored with a UCS installation for example.
Logging UUID logging can be enabled, allowing you to match events to specific rules.
Editing UUIDs can not be edited.
Resource utilization UUID generation and logging slightly increase CPU utilization and disk space utilization.

You can enable UUIDs per rule, or enable UUID generation to automatically occur when a new rule is created. To enable automatic UUID creation for all rules, navigate to Security > Options > Firewall Options > Auto Generate UUID .

AFM Network Firewall rule options

These listed options are available in a firewall rule.

AFM Network Firewall rule options are used to designate very specific packet matching criteria and the action to take once a packet match is made.

Firewall rule option Description
Name Specify the name of the rule.
Auto Generate UUID Identify each firewall rule with a 36 character Universally Unique Identification Number (UUID).
Description Specify descriptive text for the rule.
Order Specify the order of the rule in the list.
State Specify the state of the rule. Options include:
  • Enabled - The system applies the firewall rule.
  • Disabled - The system does not apply the firewall rule.

  • Scheduled - The system applies the firewall rule based on schedule

Protocol Specify the protocol to which the rule applies. Options include over 250 protocols.
Source Specify the packet source to which the rule applies. Options include:
  • Subscriber - Specify subscriber or group ID.

  • Address/Region - Specify IPv4 / IPv6 addresses or geographical regions.

  • VLAN/Tunnel - Specify a VLAN or tunnel

Destination Specify the packet destination to which the rule applies. This includes IPv4 / IPv6 addresses or geographical regions.
iRule Specify an iRule to execute when the rule is matched.
Action Specify a standard firewall rule action: Accept, Drop, Reject or Accept Decisively.
Send to Virtual Specify a virtual server to which matching traffic is sent. This option is only available for rules used in global or route domain contexts.
Logging Specify whether logging is enabled or disabled for the firewall rule.
Service Policy Specify a service policy that applies when the rule is matched.
Protocol Inspection Profile Specify a protocol inspection profile that applies when the rule is matched.
Classification Policy Specify a classification policy that applies when the rule is matched.

About rule lists

AFM Network Firewall uses rule lists to collect multiple firewall rules. While you can create firewall policies containing multiple firewall rule entries, F5 recommends creating and associating rule lists with your firewall policies to simplify administration.

Creating a rule list

You can create an AFM Network Firewall rule list, to which you can add multiple firewall rules. The new rule list can be referenced when modifying or creating a firewall policy.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. Click the Create button to create a new rule list.
  3. In the Name and Description fields, type the name and an optional description.
  4. Click Finished.
    The empty firewall rule list is displayed.
The new rule list appears in the Rule Lists.
Next, add one or more firewall rules to the rule list that define firewall actions.
Adding rules to a rule list
You can add one or more firewall rules to a rule list. The rule list will be associated with a policy later.
  1. On the Main tab, click Security > Network Firewall > Rule Lists .
    The Rule Lists screen opens.
  2. From the list, click the name of a rule list you previously created.
    The Rule List properties screen opens.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Order list, set the order for the firewall rule.
    You can specify that the rule be first or last in the rule list, or before or after a specific rule.
  6. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  7. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. From the Source Address/Region list, select Specify.
  9. Click Address List and select the appropriate address list object
  10. Click Add.
  11. From the Source Port list, select Specify.
  12. Click Port List and select the appropriate port list object.
  13. From the Destination Address/Region list, select specify.
  14. Click Address List and select the appropriate address list object.
  15. Click Add.
  16. From the Destination Port list, select Specify.
  17. Click Port List and select the appropriate port list object.
  18. Click Add.
  19. Optional. Select an iRule to trigger when the firewall rule matches.
    Note: iRule sampling (available when an iRule is selected) allows you to specify how frequently an iRule is triggered when the rule matches. For example, if the value 5 is entered, the iRule triggers every 5th match.
  20. From the Action list, select the firewall action to perform on matching traffic.
  21. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  22. Click Finished.
    The list screen and the new item are displayed.
A new firewall rule is created, and appears in the Rules list.
Next, create a firewall policy to reference the rule list.

Creating a policy

You can create an AFM Network Firewall policy that references one or more rule lists. Policies can be then be applied globally, to a virtual server, a route domain, or a self IP address.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click Create to create a new policy.
  3. Type a name and optional description for the firewall policy.
  4. Click Finished.
The Policies screen shows the new policy in the policy list.
Next, add the firewall rule list to the policy.

Activating a rule list in a firewall policy

You can add one or more rule lists to a firewall policy. After the rule list is added, you will be asked by the AFM system to commit the changes, activating the firewall policy.
Note: You must apply the firewall policy to one of the AFM system contexts to have it apply to traffic processing.
  1. On the Main tab, click Security > Network Firewall > Policies .
    The Policies screen opens.
  2. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens, or the policy expands on the screen.
  3. Click Add Rule List.
    Note: Click the down arrow button to put the Rule List at either the top or bottom of the current list.
  4. Under Name, enter the name of an existing Rule List.
    Note: To view the available Rule Lists, click the << icon to the far right of the screen and then click Rule List.
  5. Click Commit Changes to System at the top of the page.
  6. Under ID, verify the new Rule List is in the proper order.
    Note: You can drag and drop Rule Lists to reorder them.
The firewall rule list and policy are now activated.