Manual Chapter : Applying AFM Network Firewall Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Applying AFM Network Firewall Policies

Applying a policy globally

You can apply an AFM Network Firewall policy to the global context, enforcing the policy on all traffic processed by the AFM system.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. Under Filter Active Rules List, click the Global link.
    The Global Firewall Rules screen opens.
  3. To enforce rules from a firewall policy in the selected context, in the Network Firewall area: from the Enforcement list, select Enabled and then select the firewall policy to enforce from the Policy list.
  4. To stage rules from a firewall policy in the selected context, in the Network Firewall area: from the Staging list, select Enabled and then select the firewall policy to stage from the Policy list.
The policy rules you selected are enforced at the global level. If you chose to stage policy rules, the results of those rules are logged, but not enforced.

Applying a policy to a virtual server

You must have created at least one virtual server.
You can apply an AFM Network Firewall policy to a specific virtual server, also known as a protected object, enforcing the policy only on traffic processed by that protected object.
  1. On the Main tab, click Local Traffic > Virtual Servers
  2. Click the name of the virtual server to assign the firewall policy.
  3. On the menu bar at the top of the page, click Security > Policies
  4. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the Enforcement list, select Enabled, then select the firewall policy to enforce from the Policy list.
  5. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the Staging list, select Enabled, then select the firewall policy to stage from the Policy list.
  6. Click Update to save the changes.
The policy you selected is enforced on the virtual server. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a policy to a Self IP

You must have created at least one self IP address.
You can apply an AFM Network Firewall policy to the self IP context, enforcing the policy on all traffic passing through that self IP.
  1. On the Main tab, click Network > Self IPs .
  2. Click on the self IP address to which you want to add a network firewall policy.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the Enforcement list, select Enabled, and then from the Policy list, select the firewall policy to enforce.
  5. To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the Staging list, select Enabled, and then from the Policy list, select the firewall policy to stage.
  6. Click Update to save the changes to the self IP.
The policy you selected is enforced at the self IP level. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a policy to a route domain

You must have created at least one route domain.
You can apply an AFM Network Firewall policy to a route domain, enforcing the policy only on all traffic in that route domain.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. Click the name of the route domain to show the route domain configuration.
  3. Click the Security tab.
  4. To enforce rules from a firewall policy on the route domain: in the Network Firewall area: from the Enforcement list, select Enabled and then select the firewall policy to enforce from the Policy list.
  5. To stage rules from a firewall policy on the route domain: in the Network Firewall area, from the Staging list, select Enabled and then select the firewall policy to stage from the Policy list.
  6. Click Update to save the changes to the route domain.
The policy you selected is enforced at the route domain level. If you chose to stage the policy, the results of a policy match is logged, but not enforced.

Applying a rule to the management port

You cannot apply an AFM Network Firewall policy to the management port context. Instead, you must create and apply one or more AFM Network Firewall rules directly to the management port context.
Important: You can only add management port rules as inline rules. For all other contexts, you should add rule lists to policies.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context list, select Management Port.
  3. In the Rules area, click Add to add a firewall rule to the list.
  4. In the Name and Description fields, type the name and an optional description.
  5. From the Order list, select the order in which the rule is processed
  6. From the State list, select the rule state.
    • Select Enabled to apply the firewall rule to the given context and addresses.
    • Select Disabled to set the firewall rule to not apply at all.
    • Select Scheduled to apply the firewall rule according to the selected schedule.
  7. From the Protocol list, select the protocol to which the firewall rule applies.
    • Select Any to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    Important: ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  8. From the Source Address/Region list, select Specify.
  9. Click Address List and select the appropriate address list object
  10. Click Add.
  11. From the Source Port list, select Specify.
  12. Click Port List and select the appropriate port list object.
  13. Click Add.
  14. From the Destination Address/Region list, select specify.
  15. Click Address List and select the appropriate address list object.
  16. Click Add.
  17. From the Destination Port list, select Specify.
  18. Click Port List and select the appropriate port list object.
  19. Click Add.
  20. From the Action list, select the firewall action to perform on matching traffic.
  21. From the Logging list, enable or disable logging for the firewall rule.
    A logging profile must be enabled to capture logging info for the firewall rule.
  22. Click Finished
The new firewall policy is being enforced on the BIG-IP AFM system management port.