Manual Chapter : Setting Timers and Preventing Port Misuse with Service Policies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Setting Timers and Preventing Port Misuse with Service Policies

Creating and Applying Service Policies

Introduction to service policies

A service policy collects flow timer and flow timeout features in a policy that can be applied to different contexts, and allows you to configure policies to drop traffic on a specified port when the service does not match.

A service policy can be applied on a route domain, virtual server, self IP, or in a firewall rule.

About service policy types

There are two types of service policies that you can create:

  • A timer policy allows you to set custom timeouts and apply them to firewall rules or rule lists, or to a route domain or virtual server. With a timer policy you can apply a custom FIN timeout that differs from the system FIN timeout to flows on a specific context and in a specific policy. You can also apply a custom idle timeout that differs from the system timeout on a specific context and in a specific policy.
  • A port misuse policy allows you to configure a route domain, firewall rule, or firewall rule list to detect and drop connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings.

Creating a timer policy

Create a timer policy to set custom timeouts for self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click Network > Service Policies > Timer Policies .
  2. Click Create.
    The New Timer Policy screen opens.
  3. Type a name for the timer policy.
  4. Type an optional description for the timer policy.
  5. To save the timer policy and add timer rules, click Create & Add Rule.
    The New Rule screen opens.
  6. Type a name for the rule.
  7. From the Protocol list, select a protocol.
  8. From the Idle Timeout list, select the timeout option for the selected protocol.
    • Select Specify to specify the timeout for this protocol, in seconds.
    • Select Immediate to immediately apply this timeout to the protocol.
    • Select Indefinite to specify that this protocol never times out.
    • Select Unspecified to specify no timeout for the protocol. When this is selected, the default timeout for the protocol is used.
  9. Click Finished to save the timer policy rule.
The timer policy is now configured to apply to traffic with this protocol type.
Select the timer policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.

Creating a port misuse policy

Create a port misuse policy to restrict traffic on a port to a specific application. You configure a policy with specific port, protocol, and service rules to specify when port misuse occurs, and what action the policy takes.
  1. On the Main tab, click Network > Service Policies > Port Misuse Policies .
    The Port Misuse screen opens.
  2. Click Create.
    The New Port Misuse Policy screen opens.
  3. Type a name for the port misuse policy.
  4. Type an optional description for the port misuse policy.
  5. Select the Default Actions for the port misuse policy.
    • Select Drop on Service Mismatch to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select Log on Service Mismatch to set a policy default that logs service and port mismatches.
  6. In the Rule Name field, type a name for a policy rule.
  7. From the Port list, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select Other and specify a port number.
  8. From the IP Protocol list, select the IP protocol for the port matching rule.
    You can select TCP, UDP, or SCTP.
  9. From the Service list, select the service.
    This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if Drop on Service Mismatch is applied to this rule.
    Important: You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  10. From the Drop on Service Mismatch field, select the drop behavior.
    • Select Use Policy Default to use the default action for packet drops, when the service does not match the port.
    • Select Yes to drop packets when the service does not match the port.
    • Select No to allow packets when the service does not match the port.
  11. From the Log on Service Mismatch field, select the logging behavior.
    • Select Use Policy Default to use the default action for logging packet drops, when the service does not match the port.
    • Select Yes to log dropped packets when the service does not match the port.
    • Select No to not log packet drops when the service does not match the port.
  12. Click Finished to save the port misuse policy.
The port misuse policy is now configured to drop packets for specified ports, when the service does not match.
Select the port misuse policy in a service policy, and apply the service policy to a self IP, route domain, firewall rule, or firewall rule list.

Creating a service policy

Create a service policy to apply custom timer policies and port misuse settings to self IPs, route domains, firewall rules, or firewall rule lists.
  1. Click Network > Service Policies .
  2. Click Create.
    The New Service Policy screen opens.
  3. Type a name for the service policy.
  4. Type an optional description for the service policy.
  5. To enable a timer policy in the service policy, in the Timer Policy area, click Enabled.
  6. From the list, select a timer policy to use in the service policy. The Timer Policy Rules area shows the timer policy rules for the selected timer policy.
  7. To enable a port misuse policy in the service policy, in the Port Misuse area, click Enabled.
  8. From the list, select a port misuse policy to use in the service policy. The Port Misuse Policy Rules area shows the port misuse policy rules for the selected port misuse policy.
  9. Click Finished to save the service policy and return to the service policies list screen.
The selected self IP now enforces or stages rules according to your selections.

Applying a service policy to a firewall rule

Apply a service policy to a firewall rule to apply custom timers and port misuse settings to traffic matched by the firewall rule.
  1. Click Security > Network Firewall > Active Rules .
  2. Select the service policy.
    Option Description
    With the Inline Rules Editor If you are using the inline rules editor, click in a rule to edit it, and select a service policy in the Action column.
    With the standard rules editor If you are using the standard rule editor, click a rule name and select a service policy from the Service Policy list.
  3. Update the rule, or commit your changes.
  4. Compile and deploy the changes, if you compile and deploy manually.
When the rule is compiled and deployed, the timeouts and port misuse settings defined in the service policy are applied to the rule.

Applying a service policy to a virtual server

Apply a service policy to a virtual server to use custom timers and port misuse settings on the virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the Service policy list, select the service policy.
  7. Configure any other settings that you need.
  8. Click Finished.
The service policy is now associated with the virtual server, and the timers and port misuse settings are applied to sessions on the virtual server.

Applying a service policy to a route domain

Apply a service policy to a route domain to apply custom timers and port misuse settings to traffic that uses the route domain.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. In the Name column, click the name of the relevant route domain.
  3. Click the route domain to which you will apply the service policy.
  4. From the Service Policy list, select the service policy to apply to the route domain.
  5. Click Update
Traffic on the route domain that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.

Applying a service policy to a self IP

Apply a service policy to a self IP to apply custom timers and port misuse settings to traffic that uses the self IP address.
  1. On the Main tab, click Network > Self IPs .
  2. In the Name column, click the self IP address that you want to modify.
    This displays the properties of the self IP address.
  3. Click the self IP to which you will apply the service policy.
  4. From the Service Policy list, select the service policy to apply to the self IP.
  5. Click Update
Traffic on the self IP that matches the rules defined in the service policy now uses the timeouts and port misuse settings defined in the timer and port misuse policies.