Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
AFM Network Firewall Inline Rule Editor
Using the inline firewall rule editor
The AFM Network Firewall inline rule editor provides an alternative way to create and edit rules within a policy, on a single page. The advantage to this type of rule editing is that it provides a simpler and more direct way to configure rules and policies, however, this method makes administration more difficult over time. F5 recommends creating and associating rule lists with your firewall policies. You can edit an inline rule for any context.
When using the inline rule editor, the information presented in a firewall rule is simplified to the following categories:
- Name
- You must specify a name for the rule. You can also specify an optional description.
- State
- You can enable, disable, or schedule a firewall rule. These states govern whether the rule takes an action, does not take an action, or takes an action only during specific days and times.
- Protocol
- Specify a protocol to which the firewall rule applies. By default, the rule is TCP.
- For ICMP or ICMPv6 protocols, you can specify one or more ICMP types and codes.
- Source
- A rule can include any number of sources, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, fully qualified domain names, geographic locations, VLANs, address lists, ports, port ranges, port lists, subscribers, subscriber groups, and address lists.
- Destination
- A rule can include any number of destinations, including IPv4 or IPv6 addresses, IPv4 or IPv6 address ranges, FQDNs, geographic locations, VLANs, address lists, ports, port ranges, port lists, and address lists.
- Actions
- Specifies an action that applies when traffic matches the rule. The standard rule actions apply (Accept, Drop, Reject, and Accept Decisively). In addition, you can set the rule to start an iRule when the firewall rule matches traffic, and apply timeouts from a service policy to traffic that matches the rule.
- Send to Virtual
- Specifies a virtual server to which to send traffic that matches the rule. This option is not available for rules that are already at the virtual server context. Traffic that is sent to a virtual server is then evaluated by DDoS rules and firewall rules on that virtual server instead of according to the original rule. Staged rules are also evaluated based on the destination virtual server instead of the originating rule.
- Protocol Inspection Profile
- Specifies a protocol inspection profile to associate with the firewall rule. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
- Classification Policy
- Specifies a classification policy to associate with the firewall rule.
- Logging
- Specifies whether logging is enabled or disabled for the firewall rule.