Applies To:
Show Versions
BIG-IP AFM
- 11.4.1, 11.4.0
About firewall policies
The BIG-IP® Network Firewall policies combine one or more inline rules or rule lists, and apply them as a combined policy to one or more contexts. Such policies are applied to a context directly, and cannot coexist in that context with inline rules. You can configure a context to use either a specific firewall policy or inline rules, but not both. A firewall policy and inline rules are mutually exclusive of each other. However, firewall context precedence does apply, so inline rules at the global context, for example, apply even if they contradict rules applied at a lower precedence context; for example, at a virtual server.
You can apply a network firewall policy as a staged policy, while continuing to enforce existing inline rules, or you can apply one firewall policy while staging another policy. A staged policy allows you to evaluate the effect a policy has on traffic by analyzing the system logs, without actually modifying traffic based on the firewall rules.
Creating a Network Firewall policy
Creating a Network Firewall policy rule
Setting a global firewall policy
Configuring a route domain with a firewall policy
Setting network firewall policies for a self IP address
Creating a virtual server with a firewall policy
Viewing enforced and staged policy rule logs
With BIG-IP® Advanced Firewall Manager™, you can choose to enforce either inline firewall rules or a firewall policy for a specific context. You can also choose to stage policies for a specific context. Staged policies apply all of the specified firewall rules to the policy context, but do not enforce the firewall action. Therefore, the result of a staged policy is informational only, and the result can be analyzed in the firewall logs. This topic describes how to view and search for enforced and staged policy rules in the local network firewall logs.