Manual Chapter : About AFM Network Firewall Active Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.2, 14.1.0
Manual Chapter

About AFM Network Firewall Active Rules

About Active AFM Network Firewall Rules

You can use the AFM Network Firewall Active Rules page to view deployed network firewall rule or rule list statistics. Before viewing the Active Rules page, you should be familiar with the following Context Filters:

Policy Type
Select Enforced to view enforced rules that apply to traffic traversing the AFM system. Select Staged to view staged rules, allowing you to view the rule's match statics, evaluating the rule's affect on traffic.
Context
Specifies which rule context appears in the active rules list. Select a context to apply it. The default is Global. Global list the rules that apply to all traffic traversing the firewall. Route Domain lists the rules that apply to a selected route domain only. Virtual Server lists the rules that apply to the selected virtual server only. Self IP lists the rules that apply to the selected self IP address of the BIG-IP device. Management Port lists the rules that apply to the BIG-IP device management port.

Once you choose a Context Filter, you can view the following rules statistics:

ID
The order of the network firewall rule.
Name
The name of the network firewall rule.
State
The state of the network firewall rule: Enabled, Disabled, Scheduled, Enabled (Redundant) or Enabled (Conflict)
Protocol
The protocol to which the rule applies.
Source
The packet source to which the rule applies.
Destination
The packet destination to which the rule applies.
Action
Specifies the following actions: Accept, Drop or Reject,
Logging
Specifies whether logging is enabled or disabled.
Count
The total number of time the rule has matched a packet.
Latest Match
Specifies the most recent match to the rule. Used to determine how often a rule is being used.

Viewing AFM Network Firewall Active Rules

You must have staged or enforced rules configured on your AFM Network Firewall system.
Use the AFM Network Firewall Active Rules page to view both enforced and staged active firewall rule statistics.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
  2. From the Policy Type list select either Enforced or Staged.
  3. From the Context list select one of the following contexts:
    • Management Port
    • Global
    • Route Domain
    • Virtual server
    • Self IP
    A second context list appears.
  4. From the second context list, select a specific rule or rule list object.
  5. View the statistics in the Active Rule List area.

About redundant, conflicting and stale rules

When you create rules on the network firewall, it is possible that a rule can either overlap or conflict with an existing rule.

Redundant rule
A firewall rule that completely overlaps with another rule, including the same firewall action. In the case of a redundant rule, the rule can be removed with no net change in packet processing.
Conflicting rule
A firewall rule that completely overlaps with another rule, but the rules have different firewall actions. A rule might be called conflicting even if the result of each rule is the same. For example, a rule that applies to a specific IP address is considered in conflict with another rule that applies to the same IP address, if one has an Accept action and the other has an action of Accept Decisively, even though the two rules accept packets.
Stale rule
A firewall rule that is infrequently or never used. A stale rule is one that has an extremely low or 0 hit count.

On a rule list page, redundant or conflicting rules are indicated in the State column with either (Redundant) or (Conflicting).

Viewing and removing redundant and conflicting rules

You must have staged or enforced rules configured on your system that are redundant or conflicting.
View and remove redundant or conflicting rules to simplify your configuration and ensure that your system takes the correct actions on packets.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Policy Type list, select whether you want to view Enforced or Staged policies.
    Note: If you select to view Staged policies, you can not view management port rules, as they cannot be staged.
  3. View the firewall rule states in the State column.

    Each rule is listed as Enabled, Disabled, or Scheduled. In addition, a rule can have one of the following states. View and adjust rules with these states, if necessary.

    (Redundant)
    The rule is enabled, disabled, or scheduled, and redundant. All the functionality of this rule is provided by a previous rule or rules. Hover over the State column to see why the rule is considered redundant, and possible solutions. Typically you can disable or delete a redundant rule with no net effect on the system.
    (Conflicting)
    The rule is enabled, disabled, or scheduled, and conflicting. All the match criteria of this rule is covered by another rule or rules, but this rule has a different action. Hover over the State column to see why the rule is considered conflicting, and possible solutions. Typically you should disable or delete a conflicting rule. Because the rule criteria is matched prior to the conflicting rule, there it typically no net change in processing. Note that the Accept and Accept Decisively actions are treated as conflicting by the system.
    (Conflicting & Redundant)
    The rule is enabled, disabled, or scheduled, and conflicting or redundant with the actions of more than one other rule. Typically you should disable or delete a conflicting and redundant rule.
  4. Resolve conflicting or redundant rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.

Viewing and removing stale rules

You must have staged or enforced rules configured on your system, and the system must be processing traffic, to determine whether rules are hit.
View and remove infrequently used or unused rules to reduce firewall processing and simplify your rules, rule lists, and policies.
CAUTION:
Before you remove a rule that is infrequently hit, or never hit, make sure that doing so will not create a security issue. A rule might be hit infrequently, but might still be a required part of your security stance for a specific or rare attack.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Policy Type list, select whether you want to view Enforced or Staged policies.
    Note: If you select to view Staged policies, you can not view management port rules, as they cannot be staged.
  3. View the rule hit count in the Count column.
    The rule hit count shows how many total times a rule hit has occurred. A very low number indicates that the rule is infrequently hit. A count of 0 indicates the rule has never been hit.
  4. View the latest match date in the Latest Match column.
    The latest match column lists the last time the rule was hit. An old date indicates that the rule has not been hit in a long time. Never indicates that the rule has never been hit.
  5. Resolve infrequently hit rules by editing, deleting, or disabling them. Click a rule name to edit, delete, or disable it, and complete the required action.
The firewall rule list is adjusted.