You must be logging Network Firewall traffic to create a rule from the Network Firewall logs.
You can create a rule from the local log, from an enforced or staged rule or policy. You
might use this to change the action taken on specific traffic that is matched by a more general
rule. You can also use this to replicate a rule and change some parameter, such as the source or
destination ports. Note that the rule you create from a log entry already has some information
specified, such as source and destination address and ports, protocol, and VLAN. You can change
any of this information as required.
-
On the Main tab, click .
The Network Firewall event log displays.
-
Select the search parameters to show the desired log results, then click
Search.
-
Select a log entry, and click Create Rule.
-
From the Context list, select the context for the firewall rule.
For a firewall rule in a rule list, the context is predefined and cannot be
changed.
-
In the Name and Description fields, type
the name and an optional description.
-
From the Type list, select whether you are creating a standalone
network firewall rule or creating the rule from a predefined rule list.
Note: If you create a firewall rule from a predefined rule list, only the
Name, Description,
Order, Rule List, and
State options apply, and you must select or create a rule
list to include.
-
From the State list, select the rule state.
- Select Enabled to apply the firewall rule to the given
context and addresses.
- Select Disabled to set the firewall rule to not apply at
all.
- Select Scheduled to apply the firewall rule according to
the selected schedule.
-
From the Schedule list, select the schedule for the firewall rule.
This schedule is applied when you set the firewall rule state as
Scheduled.
-
From the Protocol list, select the protocol to which the firewall
rule applies.
- Select Any to apply the firewall rule to any
protocol.
- Select the protocol name to apply the rule to a single protocol.
Important: ICMP is handled by the BIG-IP system at the global or route domain
level. Because of this, ICMP messages receive a response before they reach the virtual
server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP
context. You can apply a rule list to a self IP that includes a rule for ICMP or
ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP
protocol, create a rule with the global or route
domain context. ICMP rules are evaluated only for ICMP forwarding
requests, and not for the IP addresses of the BIG-IP system itself.
Note: Note that you must select a protocol if you specify ports.
-
In the Source list, specify IP addresses and geolocated sources to
which this rule applies.
- From the Address/Region list, select
Any to have the rule apply to any packet source IP address
or packet source geographic location.
- From the Address/Region list, select
Specify and click Address to specify
one or more packet source IP addresses to which the rule applies. When selected, you
can type single IP addresses into the Address field, then click
Add to add them to the address list.
- From the Address/Region list, select
Specify and click Address List to
select a predefined list of packet source addresses to which the rule applies. To use
an address list with this rule, select the address list and click the
Add button. Similarly, to remove the list from this rule,
select the list and click the Delete button.
- From the Address/Region list, select
Specify and click Address Range to
specify a contiguous range of packet source IP addresses to which the rule applies.
When selected, you can type a start and end IP address in the fields, then click
Add to add the IP address range to the address
list.
- From the Address/Region list, select
Specify and click Country/Region to
identify the geographic origin of packet sources, and to apply rules based on selected
geographic locations. When selected, a field appears in which you can select a
country. For many countries, an extra field appears after you select the country, in
which you can select a state or province. If you do not select a specific state or
province, the entire country is selected. After you select a geographic location,
click Add to add it to the Source address list.
-
From the Source Port list, select the type of packet source ports
to which this rule applies.
- Select Any to have the rule apply to any packet source
port.
- Select Specify and click Port to
specify one or more packet source ports to which the rule applies. When selected, you
can type single port numbers into the Port field, then click
Add to add them to the port list.
- Select Specify and click Port Range
to specify a list of contiguous packet source port numbers to which the rule applies.
When selected, you can type the start and end ports into the fields, then click
Add to add the ports to the port list.
- Select Specify and click Port List
to select a predefined list of packet source ports to which the rule applies. To use a
port list with this rule, select the port list and click the
Add button. Similarly, to remove the list from this rule,
select the list and click the Delete button.
-
From the Source VLAN/Tunnel list, select the VLAN on which this
rule applies.
- Select Any to have the rule apply to traffic on any VLAN
through which traffic enters the firewall.
- Select Specify to specify one or more VLANs on the firewall
to which the rule applies. To use a VLAN with this rule, move the VLAN from the
Available list to the Selected list
by clicking the << button. Similarly, to remove the VLAN
from this rule, click the >> button to move the VLAN from the
Selected list to the Available
list.
-
From the Destination Address/Region list, select the type of
packet destination address to which this rule applies.
- Select Any to have the rule apply to any IP packet
destination address.
- Select Specify and click Address to
specify one or more packet destination IP addresses to which the rule applies. When
selected, you can type single IP addresses into the Address
field, then click Add to add them to the address list.
- Select Specify and click Address
List to select a predefined list of packet destination addresses to
which the rule applies. To use an address list with this rule, select the address list
and click the Add button. Similarly, to remove the list from
this rule, select the list and click the Delete
button.
- Select Specify and click Address
Range to specify a contiguous range of packet destination IP addresses
to which the rule applies. When selected, you can type a start and end IP address in
the fields, then click Add to add the IP address range to the
address list.
- Select Specify and click
Country/Region to identify the geographic packet
destination, and to apply rules based on specific geographic locations. When selected,
a field appears in which you can select a country. For many countries, an extra field
appears after you select the country, in which you can select a state or province. If
you do not select a specific state or province, the entire country is selected. After
you select a geographic location, click Add to add it to the
Destination address list.
-
From the Destination Port list, select the type of packet
destination ports to which this rule applies.
- Select Any to have the rule apply to any port inside the
firewall.
- Select Specify and click Port to
specify one or more packet destination ports to which the rule applies. When selected,
you can type single port numbers into the Port field, then
click Add to add them to the port list.
- Select Specify and click Port Range
to specify a list of contiguous packet destination port numbers to which the rule
applies. When selected, you can type the start and end ports into the fields, then
click Add to add the ports to the port list.
- Select Specify and click Port List
to select a predefined list of packet destination ports to which the rule applies. To
use a port list with this rule, select the port list and click the
Add button. Similarly, to remove the list from this rule,
select the list and click the Delete button.
-
Optionally, from the iRule list, select an iRule to start if the
rule matches traffic.
-
When you select an iRule to start in a firewall rule, you can enable iRule sampling, and
select how frequently the iRule is started, for sampling purposes. The value you configure
is one out of n times the iRule is triggered. For example, to
trigger the iRule one out of every five times the rule matches a flow, select
Enabled, then set this field to 5.
-
From the Action list, select the firewall action for traffic
originating from the specified source address on the specified protocol. Choose from one
of the these actions:
Option |
Description |
Accept
|
Allows packets with the specified source, destination, and protocol to pass
through the firewall. Packets that match the rule, and are accepted, traverse the
system as if the firewall is not present. |
Drop
|
Drops packets with the specified source, destination, and protocol. Dropping a
packet is a silent action with no notification to the source or destination
systems. Dropping the packet causes the connection to be retried until the retry
threshold is reached. |
Reject
|
Rejects packets with the specified source, destination, and protocol. When a
packet is rejected the firewall sends a destination unreachable message to the
sender. |
Accept Decisively
|
Allows packets with the specified source, destination, and protocol to pass
through the firewall, and does not require any further processing by any of the
further firewalls. Packets that match the rule, and are accepted, traverse the
system as if the firewall is not present. |
-
From the Logging list, enable or disable logging for the firewall
rule.
A logging profile must be enabled to capture logging info for the firewall rule.
-
Click Finished.
The list screen and the new item are displayed.
The new firewall policy rule is created from the log entry.