Applies To:
Show VersionsBIG-IP AFM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
About Firewall Rules and Rule Lists
About firewall rules
The BIG-IP® Network Firewall uses rules to specify traffic handling actions. A rule includes:
- Context
- The category of object to which the rule applies. Rules can be global and apply to all addresses on the BIG-IP that match the rule, or they can be specific, applying only to a specific virtual server, self IP address, route domain, or the management port.
- Rule or Rule List
- Specifies whether the configuration applies to this specific rule, or to a group of rules.
- Source Address
- One or more addresses, geographic locations, or address lists to which the rule applies. The source address refers to the packet's source.
- Source Port
- The ports or lists of ports on the system to which the rule applies. The source packet refers to the packet's source.
- VLAN
- Specifies VLANs to which the rule applies. The VLAN source refers to the packet's source.
- Destination Address
- One or more addresses, geographic locations, or address lists to which the rule applies. The destination address refers to the packet's destination.
- Destination Port
- The ports or lists of ports to which the rule applies. The destination port refers to the packet's destination.
- Protocol
- The protocol to which the rule applies. The firewall configuration allows you to select one specific protocol from a list of more than 250 protocols. The list is separated into a set of common protocols, and a longer set of other protocols. To apply a rule to more than one protocol, select Any.
- Schedule
- Specifies a schedule for the firewall rule. You configure schedules to define days and times when the firewall rule is made active.
- Action
- Specifies the action (accept, accept decisively, drop, or reject) for the firewall rule.
- Logging
- Specifies whether logging is enabled or disabled for the firewall rule.
Firewall actions
These listed actions are available in a firewall rule.
Firewall actions are processed within a context. If traffic matches a firewall rule within a given context, that action is applied to the traffic, and the traffic is processed again at the next context.
Firewall action | Description |
---|---|
Accept | Allows packets with the specified source, destination, and protocol to pass through the current firewall context. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. |
Accept Decisively | Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted decisively, traverse the system as if the firewall is not present, and are not processed by rules in any further context after the accept decisively action applies. If you want a packet to be accepted in one context, and not to be processed in any remaining context or by the default firewall rules, specify the accept decisively action. For example, if you want to allow all packets from Network A to reach every server behind your firewall, you can specify a rule that accepts decisively at the global context, from that Network A, to any port and address. Then, you can specify that all traffic is blocked at a specific virtual server, using the virtual server context. Because traffic from Network A is accepted decisively at the global context, that traffic still traverses the virtual server. |
Drop | Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached. |
Reject | Rejects packets with the specified source, destination, and protocol. Rejecting a packet is a more graceful way to deny a packet, as it sends a destination unreachable message to the sender. For example, if the protocol is TCP, a TCP RST message is sent. One benefit of using Reject is that the sending application is notified, after only one attempt, that the connection cannot be established. |
About Network Firewall contexts
With the BIG-IP® Network Firewall, you use a context to configure the level of specificity of a firewall rule or policy. For example, you might make a global context rule to block ICMP ping messages, and you might make a virtual server context rule to allow only a specific network to access an application.
Context is processed in this order:
- Global
- Route domain
- Virtual server/self IP
- Management port*
- Global drop*
The firewall processes policies and rules in order, progressing from the global context, to the route domain context, and then to either the virtual server or self IP context. Management port rules are processed separately, and are not processed after previous rules. Rules can be viewed in one list, and viewed and reorganized separately within each context. You can enforce a firewall policy on any context except the management port. You can also stage a firewall policy in any context except management.
Firewall context processing hierarchy example
Firewall context descriptions
When you create a firewall rule, you can select one of these listed contexts. Rules for each context form their own list and are processed both in the context hierarchy, and in the order within each context list.
Firewall context | Description |
---|---|
Global | A global policy or global inline rules are collected in this firewall context. Global rules apply to all traffic that traverses the firewall, and global rules are checked first. |
Route Domain | A route domain policy or route domain inline rules are collected in this context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules. If you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context; however, if you configure another route domain after this, Route Domain 0 is no longer usable as a global context. |
Virtual Server | A virtual server policy or virtual server inline rules are collected in this context. Virtual server rules apply to the selected existing virtual server only. Virtual server rules are checked after route domain rules. |
Self IP | A self IP policy or self IP inline rules apply to a specified self IP address on the device. Self IP rules are checked after route domain rules. |
Management Port | The management port context collects firewall rules that apply to the management port on the BIG-IP® device. Management port rules are checked independently of any other rules. |
Global Drop | The Global Drop rule drops all traffic that does not match any rule in a previous context,excluding Management Port traffic, which is processed independently. |
Creating a network firewall inline rule
About firewall rule lists
The BIG-IP® Network Firewall uses rule lists to collect multiple rules. Rule lists function differently depending on how you create them with Advanced Firewall Manager™ (AFM™).
- If you create a rule list with :
- This type of rule list is defined with a name and optional description. Once you create a rule list of this type, you can create and add one or more individual firewall rules to it. You can only add firewall rules by creating them from within the rule list. This type of rule list cannot be used on its own, but must be selected in an Active Rules list, or in a Policy Rules list.
- If you create a rule list with Type as Rule List: and select the
- This type of rule list is defined with a name and optional description. You can specify a context (Global, Route Domain, Virtual Server, or Self IP). However, you cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in the configuration.
- If you create a rule list with Type as Rule List: and select the
- This type of rule list is defined with a name and optional description. You cannot specify a context as the context is determined by the policy. You cannot add individual rules to this rule list. Instead, you select a single rule list you have already created, or one of the predefined rule lists. This type of rule list is used to activate a rule list in a policy.