Applies To:
Show VersionsBIG-IP AFM
- 13.0.1, 13.0.0
About firewall rule addresses and ports
In a Network Firewall rule, you have several options for defining addresses and ports. You can use one or more of these options to configure the ports and addresses to which a firewall rule applies.
- Users, Groups, or User lists
- You can specify predefined user lists, users, and groups. Users and groups must be specified in the form domain\user_name or domain\group_name. You can select user lists from a list. Users are defined on the BIG-IP® Access Policy Manager®.
- Any (address or port)
- In both Source and Destination address and port fields, you can select Any. This specifies that the firewall rule applies to any address or port.
- Fully qualified domain names
- You can specify source or destination addresses as fully qualified domain names. To do this, you must create a DNS resolver cache, and configure the network firewall FQDN Resolver option.
- Inline addresses
- An inline address is an IP address that you add directly to the network firewall rule, in either the Source or Destination Address field. You can specify a single IP address, multiple IP addresses, a contiguous range of IP addresses, or you can identify addresses based on their geographic location. IP addresses can be either IPv4 or IPv6, depending on your network configuration.
- Address lists
- An address list is a preconfigured list of IP addresses that you add directly to the BIG-IP system. You can select this list of addresses to use in either the Source or Destination Address field. An address list can also contain other address lists, and geographic locations.
- Inline ports
- An inline port is a port that you add directly to the network firewall rule, in either the Source or Destination Port field. You can add a single port, or a contiguous port range.
- Port lists
- A port list is a preconfigured list of ports that you add directly to the BIG-IP system. You can select this list of ports to use in either the Source or Destination Port field. You can also add port lists to other port lists.
About resolving DNS addresses in Network Firewall rules
You can configure a DNS resolver on the BIG-IP® system to resolve DNS queries and cache the responses, and provide the resolved DNS addresses to network firewall rules that use fully qualified domain names (FQDNs). The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the nameservers the system queries to resolve DNS queries.
After you specify a DNS resolver, you specify the DNS resolver in the Network Firewall options, to allow firewall rules to resolve and cache IP addresses from FQDNs.
Creating a DNS resolver
Configuring the Network Firewall to use a DNS resolver
About address lists
An address list is simply a collection of addresses saved on the server, including fully qualified domain names, IP addresses, contiguous IP address ranges, geographic locations, and other (nested) address lists. You can define one or more address lists, and you can select one or more address lists in a firewall rule. Firewall address lists can be used in addition to inline addresses that are specified within a particular rule.
Creating an address list
About port lists
A port list is simply a collection of ports saved on the server. A port list can also contain other port lists. You can define one or more port lists, and you can specify one or more port lists in a firewall rule. Firewall port lists can be used in addition to inline ports, specified within a particular firewall rule or policy.