Manual Chapter : Compiling and Deploying Network Firewall rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Compiling and Deploying Network Firewall rules

About compiling and deploying rules in the Network Firewall

The BIG-IP® Advanced Firewall Manager™ (AFM™) allows you to compile and deploy rules either manually or automatically. Rules are compiled and deployed automatically by default. However, in a large configuration with many rulesets there can a large number of micro rules created by the compilation process, even when only a small number of rules are added or edited. For such configurations, it might be advantageous to compile all collected rule changes at once, manually. Once rules are compiled, they can be deployed manually or automatically. Deploying manually allows greater control over the rollout of configuration changes. These options provide a more efficient approach to managing large firewall rule sets. When manual rule compilation, manual rule deployment, or both are enabled, the AFM user interface provides feedback about the compilation and deployment status of the current ruleset.

Task list

Configuring manual or automatic policy compilation for firewall rules

Set the compilation mode to Manual if you want to collect several rule changes, and then compile them all at one time, or if you want to delay the rule compilation process to another time.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Firewall Options screen opens.
  2. From the Firewall Compilation Mode list, select the compilation mode for the firewall ruleset.
    • Select Automatic to compile the firewall ruleset whenever a change is made to any firewall item that is used in the firewall ruleset.
    • Select Manual to delay compilation of the firewall ruleset, collect all firewall rule changes, and apply the entire set of changes manually at another time.
  3. From the Log Configuration Changes list specify the logging option for firewall ruleset compilation and deployment configuration changes.
    • Select Automatic to specify that configuration changes are logged only if Firewall Compilation Mode or Firewall Deployment Mode is set to Manual.
    • Select On to specify that policy configuration changes are always logged.
    • Select Off to specify that policy configuration changes are not logged.
  4. Select the log publisher to which to log policy configuration changes.
    This field appears only if you specify the Log Configuration Changes setting as Automatic or On.
  5. Click Update.
    The firewall policy compilation mode is configured.

Compiling firewall rules manually

When you have configured the firewall in manual compilation mode, you must manually compile firewall rules after your configuration changes are complete.
  1. Look at the status area for Advanced Firewall Manager. If the status shows Firewall: Pending Rules Compilation, the rules are ready to be manually compiled.
    Rules to be compiled message
  2. Click the Firewall: Pending Rules Compilation link. Alternatively, you can click Security > Event Logs > Network > Policy Status .
    The Policy Status screen appears, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes. If the policy requires compilation, the Firewall Policy Status is Pending Rules Compilation.
  3. Click Compile.
    The system compiles the collected changes.
After the ruleset is compiled, review the compilation statistics for Compilation Start Time, Compilation End Time, and Last Successful Compilation Time. The status in the Configuration Change Event column also shows Compile Success after a successful compilation.
If you set the Firewall Deployment Mode to automatically deploy after a configuration change, the policies are deployed. If you set the Firewall Deployment Mode to manual, you must now deploy the policies.

Configuring manual or automatic policy deployment for firewall rules

Set the deployment mode to Manual if you want to compile rule changes without putting them into effect until a certain time.
Warning: You can not configure firewall schedules if the firewall deployment mode is manual.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Firewall Options screen opens.
  2. From the Firewall Deployment Mode list, select the deployment mode for firewall ruleset changes.
    • Select Automatic to deploy the firewall ruleset whenever a change is compiled, either manually or automatically.
    • Select Manual to delay deployment of the firewall ruleset, collect all compiled firewall ruleset changes, and deploy the entire set of changes manually at another time.
  3. From the Log Configuration Changes list specify the logging option for firewall ruleset compilation and deployment configuration changes.
    • Select Automatic to specify that configuration changes are logged only if Firewall Compilation Mode or Firewall Deployment Mode is set to Manual.
    • Select On to specify that policy configuration changes are always logged.
    • Select Off to specify that policy configuration changes are not logged.
  4. Select the log publisher to which to log policy configuration changes.
    This field appears only if you specify the Log Configuration Changes setting as Automatic or On.
  5. Click Update.
    The firewall deployment mode is configured.

Deploying firewall rules manually

When you have configured the firewall in manual deployment mode, you must manually deploy firewall rules after the rules are compiled.
  1. Look at the status area for the Advanced Firewall Manager. If the status shows Firewall: Pending Rules Deployment, the rules are ready to be manually deployed.
    Rules to be deployed message
  2. Click the Firewall: Pending Rules Deployment link. Alternatively, you can click Security > Event Logs > Network > Policy Status .
    The Policy Status screen appears, showing the firewall status, an overview of the most recent compilation, and a list of the most recent configuration changes. If the policy is compiled, and requires deployment, the Firewall Policy Status is Pending Rules Deployment.
  3. Click Deploy.
    The system deploys the collected changes.
  4. Next to the Policy Status setting, select Advanced to review additional policy compilation and deployment statistics.
    These statistics include the compilation and deployment mode, Deployment Start Time, Deployment End Time, Number of Micro Rules, the Active BLOB, and whether the active BLOB is MD5 verified.
After the ruleset is deployed, the status in the Configuration Change Event column also shows Deploy Success after a successful deployment.

About firewall policy compilation statistics

When firewall rules are recompiled, whether automatically with a rule change, or manually with a manual compile event, the rule list or policy requires some server resources to compile. With large rule sets and deployments, even minor rule changes can cause very large recompilation events. You can view the resources used for policy compilation, either for the entire firewall or by context.

Compiler statistics are displayed on a context for several items.

Activation Time
Displays the time at which firewall policies or rule lists were last activated on this context.
Compilation Duration
Displays the amount of time required to compile the rule sets or policies at the last activation.
Compilation Size
Displays the file size of the compiled rule sets or policies, after the last activation.
Maximum Transient Memory
Displays the maximum memory used to compile the rule sets or policies during the last activation.

Compiler statistics are displayed for several items when displayed for the entire firewall.

Firewall Compilation Mode
Displays whether the firewall is configured to compile ruleset changes manually or automatically.
Firewall Deployment Mode
Displays whether the firewall is configured to deploy ruleset changes manually or automatically.
Firewall Policy Status
Displays whether the firewall ruleset is Consistent (all rules are currently compiled and deployed), Pending Rules Compilation (some rules have been changed, and the ruleset is not compiled), or Pending Rules Deployment (the ruleset is compiled, but not deployed).
Compilation Start Time
Displays the time at which the most recent firewall ruleset compilation event last started.
Compilation End Time
Displays the time at which at which the most recent firewall ruleset compilation event last completed.
Last Successful Compilation Time
Displays the time at which the last successful compilation occurred.
Deployment Start Time
Displays the most recent deployment start time.
Deployment End Time
Displays the most recent deployment end time.
Number of Micro Rules
Displays the number of micro rules compiled in the most recent ruleset compilation event.
Active BLOB
Displays the internal name for the active group of rules to be compiled.
BLOB MD5 Verified
Displays whether the BLOB MD5 is verified.

Viewing compilation statistics for a firewall rule or policy

You can view the most recent compilation statistics for a rule list or policy on the global context, or on a route domain, self IP, or virtual server context.
  1. On the Main tab, click Security > Network Firewall > Active Rules .
    The Active Rules screen opens.
  2. From the Context list, select All.
  3. Click on the name of the context for which you want to view statistics.
    For example, the global context is always called Global. A virtual server or self IP has the name you assigned when you created it; for example, vs_http_134 or self_lb_11 . A route domain is identified with a number; for example, 0.
  4. View statistics for rule compilation.
    • In the global context, from the Policy Settings list, select Advanced.
    • In a route domain, self IP, or virtual server context, click the Security tab. Then, from the Policy Settings list, select Advanced.
Statistics are displayed for the most recent rule list and policy compilation on the selected context.

Viewing compilation statistics for all network firewall rules and policies

You can view the most recent compilation statistics for the network firewall.
  1. Click Security > Event Logs > Network > Policy Status .
    The Policy Status screen appears, showing the firewall status, an overview of the most recent compilation, and a list of recent configuration changes.
  2. Next to the Policy Status setting, select Advanced to review additional policy compilation and deployment statistics.
    These statistics include the compilation and deployment mode, Deployment Start Time, Deployment End Time, Number of Micro Rules, the Active BLOB, and whether the active BLOB is MD5 verified.
Compilation and deployment statistics are displayed for all network firewall policies.