Manual Chapter : Setting Timers and Preventing Port Misuse with Service Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Setting Timers and Preventing Port Misuse with Service Policies

Introduction to service policies

Service Policies are containers for Timer and Port Misuse policies. Timer and Port Misuse policies allow you to override how the BIG-IP system manages idle connections and which layer 7 application can use specific service ports.to process traffic. You should familiarize yourself with how each of these policy can be used.
Timer Policy
Specifies one or more protocols, service ports and the idle timeout period for connections that match these protocols and service ports. For example, idle TCP protocol 443 connections can be configured to timeout after 5 seconds of idle time.
Port Misuse Policy
Specifies one or more protocols, services ports and the type of layer 7 application service allowed to use these protocol and service ports. For example, TCP protocol, service port 80 must use the HTTP protocol. A connection attempt using HTTPS protocol can be denied, logged or both.
Service Policy
References Timer and Port Misuse policies. A Service Policy can be referenced by an AFM firewall rule and can also be applied directly to the global, route domain, virtual server and self IP contexts.

Creating a timer policy

Create a timer policy to set custom timeouts for virtual servers, self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click Network > Service Policies > Timer Policies .
  2. Click Create.
    The New Timer Policy screen opens.
  3. Type a name for the timer policy.
  4. Type an optional description for the timer policy.
  5. To save the timer policy and add timer rules, click Create & Add Rule.
    The New Rule screen opens.
  6. Type a name for the rule.
  7. From the Protocol list, select a protocol.
  8. From the Idle Timeout list, select the timeout option for the selected protocol.
    • Select Specify to specify the timeout for this protocol, in seconds.
    • Select Immediate to immediately apply this timeout to the protocol.
    • Select Indefinite to specify that this protocol never times out.
    • Select Unspecified to specify no timeout for the protocol. When this is selected, the default timeout for the protocol is used.
  9. Click Finished to save the timer policy rule.
The timer policy is now configured to apply to traffic with this protocol type.
Select the timer policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.

Creating a port misuse policy

Create a port misuse policy to restrict traffic on a port to a specific application. You configure a policy with specific port, protocol, and service rules to specify when port misuse occurs, and what action the policy takes.
  1. On the Main tab, click Network > Service Policies > Port Misuse Policies .
    The Port Misuse screen opens.
  2. Click Create.
    The New Port Misuse Policy screen opens.
  3. Type a name for the port misuse policy.
  4. Type an optional description for the port misuse policy.
  5. Select the Default Actions for the port misuse policy.
    • Select Drop on Service Mismatch to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select Log on Service Mismatch to set a policy default that logs service and port mismatches.
  6. In the Rule Name field, type a name for a policy rule.
  7. From the Port list, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select Other and specify a port number.
  8. From the IP Protocol list, select the IP protocol for the port matching rule.
    You can select TCP, UDP, or SCTP.
  9. From the Service list, select the service.
    This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if Drop on Service Mismatch is applied to this rule.
    Important: You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  10. From the Drop on Service Mismatch field, select the drop behavior.
    • Select Use Policy Default to use the default action for packet drops, when the service does not match the port.
    • Select Yes to drop packets when the service does not match the port.
    • Select No to allow packets when the service does not match the port.
  11. From the Log on Service Mismatch field, select the logging behavior.
    • Select Use Policy Default to use the default action for logging packet drops, when the service does not match the port.
    • Select Yes to log dropped packets when the service does not match the port.
    • Select No to not log packet drops when the service does not match the port.
  12. Click Finished to save the port misuse policy.
The port misuse policy is now configured to drop packets for specified ports, when the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to a virtual server, self IP, route domain, firewall rule, or firewall rule list.

Creating a service policy

Create a service policy to apply custom timer policies and port misuse settings to virtual servers, self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click Network > Service Policies .
  2. Click Create.
    The New Service Policy screen opens.
  3. Type a name for the service policy.
  4. Type an optional description for the service policy.
  5. To enable a timer policy in the service policy, in the Timer Policy area, click Enabled.
  6. From the list, select a timer policy to use in the service policy. The Timer Policy Rules area shows the timer policy rules for the selected timer policy.
  7. To enable a port misuse policy in the service policy, in the Port Misuse area, click Enabled.
  8. From the list, select a port misuse policy to use in the service policy. The Port Misuse Policy Rules area shows the port misuse policy rules for the selected port misuse policy.
  9. Click Finished to save the service policy and return to the service policies list screen.
The selected self IP now enforces or stages rules according to your selections.

Applying a service policy to a firewall rule

Apply a service policy to a firewall rule to apply custom timers and port misuse settings to traffic matched by the firewall rule.
  1. Click Security > Network Firewall > Policies .
  2. Under Name, click the firewall policy that contains the rule to be modified.
  3. In the Active Rules List area, click the firewall rule or rule list to be modified.
    Option Description
    With Inline Rules Click the rule by name, and in the Actions column, select the Service Policy.
    With a Rule List Click the rule list, and then click the rule by name. In the Actions column, select the Service Policy.
  4. Click Done Editing.
  5. Click Commit Changes to System.
When the rule is compiled and deployed, the timeouts and port misuse settings defined in the service policy are applied to the rule.

Applying a service policy to a virtual server

Apply a service policy to a virtual server to use custom timers and port misuse settings on the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. In the Virtual Server List area, click the virtual server by name
  3. In the Security tab at the top of the page, click Policies.
  4. From the Service Policy list, select the service policy.
  5. Click Update.
The service policy is now associated with the virtual server, and the timers and port misuse settings are applied to sessions on the virtual server.

Applying a service policy to a route domain

Apply a service policy to a route domain to apply custom timers and port misuse settings to traffic that uses the route domain.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. Click the route domain to which you will apply the service policy.
  4. At the top of the page, click the Security tab.
  5. From the Service Policy list, select the service policy to apply to the route domain.
  6. Click Update
Traffic on the route domain that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.

Applying a service policy to a self IP

Apply a service policy to a self IP to apply custom timers and port misuse settings to traffic that uses the self IP address.
  1. On the Main tab, click Network > Self IPs .
  2. In the Name column, click the self IP address that you want to modify.
    This displays the properties of the self IP address.
  3. Click the self IP to which you will apply the service policy.
  4. From the Service Policy list, select the service policy to apply to the self IP.
  5. Click Update
Traffic on the self IP that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.