Manual Chapter : About the Network Firewall

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

What is the BIG-IP Network Firewall?

The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. Using a combination of contexts, the network firewall can apply rules in a number of different ways, including: at a global level, on a route domain, on a per-virtual server level, for a self IP address, or for the management port. Firewall rules are combined in firewall policies, which can contain multiple context and address pairs, and can be applied directly to any context except the management port. Rules for the management port context are defined inline, and do not require a separate policy.

By default, the Network Firewall is configured in ADC mode, a default allow configuration, in which all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.

The system is configured in this mode by default so all traffic on your system continues to pass after you provision Advanced Firewall Manager™. You should create appropriate firewall rules to allow necessary traffic to pass before you switch Advanced Firewall Manager to Firewall mode. In Firewall mode, a default deny configuration, all traffic is blocked through the firewall, and any traffic you want to allow through the firewall must be explicitly specified.

Task list

About firewall modes

The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs, inside and outside of your network. By default, the network firewall is configured in ADC mode. This means it is a default allow configuration, in which all traffic is allowed to virtual servers and self IP addresses on the system, and any traffic you want to block must be explicitly specified. This applies only to the virtual server and self IP levels on the system.

Important: If a packet does not match any rule in any context on the firewall, the Global Reject or Global Drop rule drops the packet (Global Drop) or drops the packet and sends the appropriate reject message (Global Reject) even when the system is in a default allow configuration. In addition, the Global Drop or Global Reject rule does not drop or reject traffic to the management port. Management port rules must be specifically configured and applied.

Configuring the Network Firewall in ADC mode

If you have changed the firewall setting to Firewall mode, you can configure the BIG-IP® Network Firewall back to ADC mode.
Note: The firewall is configured in ADC mode, by default.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. From the Virtual Server & Self IP Contexts list, select the default action Accept for the self IP and virtual server contexts.
  3. Click Update.
    The virtual server and self IP contexts for the firewall are changed.

Configuring the Network Firewall to drop or reject traffic that is not specifically allowed

You can configure the BIG-IP® Network Firewall to drop or reject all traffic not explicitly allowed. In Advanced Firewall Manager™, this is called Firewall mode, and this is also referred to as a default deny policy. Firewall mode applies a default deny policy to all self IP addresses and virtual servers.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. From the Virtual Server & Self IP Contexts list, select the default action for the self IP and virtual server contexts.
    • Select Drop to silently drop all traffic to virtual servers and self IP addresses unless specifically allowed.
    • Select Reject to drop all traffic to virtual servers and self IP addresses unless specifically allowed, and to send the appropriate reject message for the protocol.
  3. Click Update.
    The default virtual server and self IP firewall context is changed.

Configuring the Network Firewall to globally drop or reject traffic

If traffic to or from the BIG-IP® Network Firewall does not match a rule, the global rule handles the traffic. You can set the global rule to drop traffic or to reject traffic. The global rule rejects unmatched traffic by default.
Note: Management port traffic is not handled by the global rule. Management port rules must be explicitly defined for the management port context.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. From the Global Context list, select the default action for the global rule, when the traffic matches no other rule.
    • Select Drop to drop traffic silently.
    • Select Reject to drop traffic, and send the appropriate reject message for the protocol.
  3. Click Update.
    The global firewall action is changed.