Manual Chapter : About the Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About the Network Firewall

What is the BIG-IP Network Firewall?

The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. Using a combination of contexts, the network firewall can apply rules in a number of different ways, including: at a global level, on a per-virtual server level, for a self IP address, or for the management port. Firewall rules can be combined in a firewall policy, which can contain multiple context and address pairs, and is applied directly to a virtual server.

By default, the Network Firewall is configured in ADC mode, a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.

The system is configured in this mode by default so all traffic on your system continues to pass after you provision the Advanced Firewall Manager™. You should create appropriate firewall rules to allow necessary traffic to pass before you switch the Advanced Firewall Manager to Firewall mode. In Firewall mode, a default deny configuration, all traffic is blocked through the firewall, and any traffic you want to allow through the firewall must be explicitly specified.

About firewall modes

The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. By default, the network firewall is configured in ADC mode, which is a default allow configuration, in which all traffic is allowed to virtual servers and self IPs on the system, and any traffic you want to block must be explicitly specified. This applies only to the virtual server and self IP levels on the system.

Important: Even though the system is in a default allow configuration, if a packet does not match any rule in any context on the firewall, the Global Drop rule drops the traffic.
Note: The Global Drop rule does not drop traffic to the management port. Management port rules must be specifically configured and applied.

Configuring the Network Firewall in ADC mode

If you have changed the firewall setting to Firewall mode, you can configure the BIG-IP® Network Firewall back to ADC mode.
Note: The firewall is configured in ADC mode, by default.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Firewall Options screen opens.
  2. From the Virtual Server & Self IP Contexts list, select the default action Accept for the self IP and virtual server contexts.
  3. Click Update.
    The virtual server and self IP contexts for the firewall are changed.

Configuring the Network Firewall to drop traffic that is not specifically allowed

You can configure the BIG-IP® Network Firewall to deny all traffic not explicitly allowed. In Advanced Firewall Manager™ this is called Firewall mode, and this is also referred to as a default deny policy. Firewall mode applies a default deny policy to all self IPs and virtual servers.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Firewall Options screen opens.
  2. From the Virtual Server & Self IP Contexts list, select the default action Drop for the self IP and virtual server contexts.
  3. Click Update.
    The default virtual server and self IP firewall context is changed.
If you are using ConfigSync to synchronize two or more devices, and you set the default action to Drop or Reject, you must apply the built-in firewall rules _sys_self_allow_defaults or _sys_self_allow_management to the specific self IPs that are used to support those services. To do this, add a new rule with the Self IP context, select the self IP, and select the Rule List rule type. Finally, select the preconfigured rules from the list of rule lists.