Applies To:
Show VersionsBIG-IP AFM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
About compiling and deploying rules in the Network Firewall
The BIG-IP® Advanced Firewall Manager™ (AFM™) allows you to compile and deploy rules either manually or automatically. Rules are compiled and deployed automatically by default. However, in a large configuration with many rulesets there can a large number of micro rules created by the compilation process, even when only a small number of rules are added or edited. For such configurations, it might be advantageous to compile all collected rule changes at once, manually. Once rules are compiled, they can be deployed manually or automatically. Deploying manually allows greater control over the rollout of configuration changes. These options provide a more efficient approach to managing large firewall rule sets. When manual rule compilation, manual rule deployment, or both are enabled, the AFM user interface provides feedback about the compilation and deployment status of the current ruleset.
Task list
Configuring manual or automatic policy compilation for firewall rules
Compiling firewall rules manually
Configuring manual or automatic policy deployment for firewall rules
Deploying firewall rules manually
About firewall policy compilation statistics
When firewall rules are recompiled, whether automatically with a rule change, or manually with a manual compile event, the rule list or policy requires some server resources to compile. With large rule sets and deployments, even minor rule changes can cause very large recompilation events. You can view the resources used for policy compilation, either for the entire firewall or by context.
Compiler statistics are displayed on a context for several items.
- Activation Time
- Displays the time at which firewall policies or rule lists were last activated on this context.
- Compilation Duration
- Displays the amount of time required to compile the rule sets or policies at the last activation.
- Compilation Size
- Displays the file size of the compiled rule sets or policies, after the last activation.
- Maximum Transient Memory
- Displays the maximum memory used to compile the rule sets or policies during the last activation.
Compiler statistics are displayed for several items when displayed for the entire firewall.
- Firewall Compilation Mode
- Displays whether the firewall is configured to compile ruleset changes manually or automatically.
- Firewall Deployment Mode
- Displays whether the firewall is configured to deploy ruleset changes manually or automatically.
- Firewall Policy Status
- Displays whether the firewall ruleset is Consistent (all rules are currently compiled and deployed), Pending Rules Compilation (some rules have been changed, and the ruleset is not compiled), or Pending Rules Deployment (the ruleset is compiled, but not deployed).
- Compilation Start Time
- Displays the time at which the most recent firewall ruleset compilation event last started.
- Compilation End Time
- Displays the time at which at which the most recent firewall ruleset compilation event last completed.
- Last Successful Compilation Time
- Displays the time at which the last successful compilation occurred.
- Deployment Start Time
- Displays the most recent deployment start time.
- Deployment End Time
- Displays the most recent deployment end time.
- Number of Micro Rules
- Displays the number of micro rules compiled in the most recent ruleset compilation event.
- Active BLOB
- Displays the internal name for the active group of rules to be compiled.
- BLOB MD5 Verified
- Displays whether the BLOB MD5 is verified.