Manual Chapter :
Setting Timers and Preventing Port Misuse with Service Policies
Applies To:
Show Versions![Show Versions](/etc/designs/pcx/techdocs/images/expandversions.gif)
BIG-IP AFM
- 14.1.2, 14.1.0
Setting Timers and Preventing Port Misuse with Service Policies
Introduction to service policies
Service Policies are containers for Timer and Port Misuse policies. Timer and Port Misuse policies allow you to override how the BIG-IP system manages idle connections and which layer 7 application can use specific service ports.to process traffic. You should familiarize yourself with how each of these policy can be used.
- Timer Policy
- Specifies one or more protocols, service ports and the idle timeout period for connections that match these protocols and service ports. For example, idle TCP protocol 443 connections can be configured to timeout after 5 seconds of idle time.
- Port Misuse Policy
- Specifies one or more protocols, services ports and the type of layer 7 application service allowed to use these protocol and service ports. For example, TCP protocol, service port 80 must use the HTTP protocol. A connection attempt using HTTPS protocol can be denied, logged or both.
- Service Policy
- References Timer and Port Misuse policies. A Service Policy can be referenced by an AFM firewall rule and can also be applied directly to the global, route domain, virtual server and self IP contexts.
Creating a timer policy
Create a timer policy to set custom timeouts for virtual servers, self IPs, route domains,
firewall rules, or firewall rule lists.
The timer policy is now configured to apply to traffic with this protocol type.
Select the timer policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.
Creating a port misuse policy
Create a port misuse policy to restrict traffic on a port to a specific
application. You configure a policy with specific port, protocol, and service rules to
specify when port misuse occurs, and what action the policy takes.
The port misuse policy is now configured to drop packets for specified ports, when
the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to
a virtual server, self IP, route domain, firewall rule, or firewall rule list.
Creating a service policy
Create a service policy to apply custom timer policies and port misuse settings to
virtual servers, self IPs, route domains, firewall rules, or firewall rule lists.
The selected self IP now enforces or stages rules according to your selections.
Applying a service policy to a firewall rule
Apply a service policy to a firewall rule to apply
custom timers and port misuse settings to traffic matched by the firewall
rule.
- Click .
- Under Name, click the firewall policy that contains the rule to be modified.
-
In the Active Rules List area, click the firewall rule or rule list to be modified.
Option Description With Inline Rules Click the rule by name, and in the Actions column, select the Service Policy. With a Rule List Click the rule list, and then click the rule by name. In the Actions column, select the Service Policy. - Click Done Editing.
- Click Commit Changes to System.
When the rule is compiled and deployed, the timeouts and port misuse settings defined
in the service policy are applied to the rule.
Applying a service policy to a virtual server
Apply a service policy to a virtual server to use custom timers and port misuse settings on the
virtual server.
The
service policy is now associated with the virtual server, and the timers and port misuse settings
are applied to sessions on the virtual server.
Applying a service policy to a route domain
Apply a service policy to a route domain to apply
custom timers and port misuse settings to traffic that uses the route domain.
Traffic on the route domain that matches the rules defined in the service policy now
uses the timeouts and port misuse settings defined in the timer and port misuse
policies.
Applying a service policy to a self IP
Apply a service policy to a self IP to apply
custom timers and port misuse settings to traffic that uses the self IP
address.
Traffic on the self IP that matches the rules defined in the service policy now uses
the timeouts and port misuse settings defined in the timer and port misuse
policies.