The Network Firewall Inline Rule Editor option must be enabled to create a rule with
the inline rule editor. If you are going to specify address lists, port lists, custom
iRules®, or service policies to use with this rule, you must
create these before you edit the firewall rule, or add them at a later time.
Edit a Network Firewall policy rule to change course, destination, actions, order,
or other items in a firewall rule.
Note: You cannot add rules (created with
these steps) to a rule list at a later time. You must create rules for a rule list
from within the rule list. Similarly, you cannot use the rules created in a policy
to apply as inline rules in another context, though you can use rule lists in a
policy rule.
-
On the Main tab, click .
The Policies screen opens.
-
Click the name of the network firewall policy to which you want to add rules.
-
Click Add Rule to add a firewall rule to the
policy.
A blank rule appears at the first position in the policy.
-
In the Name column, type the name and an optional
description in the fields.
-
In the State column, select the rule state.
- Select Enabled to apply the firewall rule or rule
list to the addresses and ports specified.
- Select Disabled to set the firewall rule or rule
list to not apply at all.
- Select Scheduled to apply the firewall rule or
rule list according to the selected schedule.
-
From the Schedule list, select the schedule for the
firewall policy rule.
This schedule is applied when the firewall policy rule state is set to
Scheduled.
Note: You cannot save a scheduled rule when the firewall compilation
or deployment mode is manual.
-
In the Protocol column, select the protocol to which the
firewall rule applies.
- Select Any to apply the firewall rule to any
protocol.
- Select the protocol name to apply the rule to a single
protocol.
- Select Other and type the port number if the
protocol is not listed.
Important: ICMP is handled by the BIG-IP system at the global or
route domain level. Because of this, ICMP messages receive a response before
they reach the virtual server context. You cannot create rule for ICMP or
ICMPv6 on a self IP or virtual server context. You can apply a rule list to
a self IP or virtual server that includes a rule for ICMP or ICMPv6;
however, such a rule will be ignored. To apply firewall actions to the ICMP
protocol, create a rule with the global or
route domain context. ICMP rules are evaluated
only for ICMP forwarding requests, and not for the IP addresses of the
BIG-IP system itself.
-
In the Source field, begin typing to specify a source
address.
As you type, options will appear that match your input. Select the source
option you want to use when it appears, or press Return. You can add more
addresses by typing in the field labeled
add new source.
A source address can be any of the following:
- Any address
- IPv4 or IPv6 address
- IPv4 or IPv6 address range
- FQDN
- Geographic location
- VLAN
- Address list
- Port
- Port range
- Port list
- Address list
-
In the Destination field, begin typing to specify a
destination address.
As you type, options will appear that match your input. Select the
destination option you want to use when it appears, or press Return. You can add
more addresses by typing in the field labeled add new
destination.
A destination address can be any of the following:
- Any address
- IPv4 or IPv6 address
- IPv4 or IPv6 address range
- FQDN
- Geographic location
- VLAN
- Address list
- Port
- Port range
- Port list
- Address list
-
Optionally, from the iRule list, select an iRule to
start if the rule matches traffic.
-
When you select an iRule to start in a firewall rule, you select how frequently
the iRule is started, for sampling purposes. The value you configure is
one out of n times the iRule is triggered. For
example, to trigger the iRule one out of every five times the rule matches a
flow, set this field to 5. To trigger the rule every time
the rule matches a flow, set this field to 1.
-
To apply custom timeouts to flows that match this rule, from the
Service Policy field, specify a service policy.
-
In the Logging column, check
Logging to enable logging for the firewall rule.
A logging profile must be enabled to capture logging info for the firewall
rule.
-
Click Commit Changes to System.
The policy with the updated rule is displayed.
The new firewall rule is created and displayed on the firewall policy screen.