Manual Chapter : Firewall Rule Addresses and Ports

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About firewall rule addresses and ports

In a Network Firewall rule, you have several options for defining addresses and ports. You can use one or more of these options to configure the ports and addresses to which a firewall rule applies.

Note: You can use any combination of inline addresses, ports, address lists, and port lists in a firewall rule.
Users, Groups, or User lists
You can specify predefined user lists, users, and groups. Users and groups must be specified in the form domain\user_name or domain\group_name. You can select user lists from a list. Users are defined on the BIG-IP® Access Policy Manager®.
Any (address or port)
In both Source and Destination address and port fields, you can select Any. This specifies that the firewall rule applies to any address or port.
Fully qualified domain names
You can specify source or destination addresses as fully qualified domain names. To do this, you must create a DNS resolver cache, and configure the network firewall FQDN Resolver option.
Inline addresses
An inline address is an IP address that you add directly to the network firewall rule, in either the Source or Destination Address field. You can specify a single IP address, multiple IP addresses, a contiguous range of IP addresses, or you can identify addresses based on their geographic location. IP addresses can be either IPv4 or IPv6, depending on your network configuration.
Address lists
An address list is a preconfigured list of IP addresses that you add directly to the BIG-IP system. You can select this list of addresses to use in either the Source or Destination Address field. An address list can also contain other address lists, and geographic locations.
Inline ports
An inline port is a port that you add directly to the network firewall rule, in either the Source or Destination Port field. You can add a single port, or a contiguous port range.
Port lists
A port list is a preconfigured list of ports that you add directly to the BIG-IP system. You can select this list of ports to use in either the Source or Destination Port field. You can also add port lists to other port lists.

About resolving DNS addresses in Network Firewall rules

You can configure a DNS resolver on the BIG-IP® system to resolve DNS queries and cache the responses, and provide the resolved DNS addresses to network firewall rules that use fully qualified domain names (FQDNs). The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the nameservers the system queries to resolve DNS queries.

After you specify a DNS resolver, you specify the DNS resolver in the Network Firewall options, to allow firewall rules to resolve and cache IP addresses from FQDNs.

Creating a DNS resolver

You configure a DNS resolver on the BIG-IP® system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache.
  1. On the Main tab, click Network > DNS Resolvers > DNS Resolver List .
    The DNS Resolver List screen opens.
  2. Click Create.
    The New DNS Resolver screen opens.
  3. In the Name field, type a name for the resolver.
  4. Click Finished.
Note: When you create an OAuth Server, creating a DNS Resolver with a forward zone named . (period) is mandatory to forward all requests.

Configuring the Network Firewall to use a DNS resolver

You must configure a DNS resolver on the BIG-IP® system before you select the DNS resolver in the firewall options.
The global DNS resolver specifies a DNS resolver for the network firewall to use, when resolving fully qualified domain names (FQDNs) to IP addresses.
  1. On the Main tab, click Security > Options > Network Firewall .
    The Network Firewall screen opens to Firewall Options.
  2. In the FQDN Resolver area, from the Global Context list, select the DNS resolver.
  3. In the Refresh Interval field, specify how often the DNS resolver refreshes the IP addresses associated with fully qualified domain names, in minutes.
    The default refresh interval is 60 minutes.
  4. Click Update.
    The DNS resolver is configured for firewall rules.

About address lists

An address list is simply a collection of addresses saved on the server, including fully qualified domain names, IP addresses, contiguous IP address ranges, geographic locations, and other (nested) address lists. You can define one or more address lists, and you can select one or more address lists in a firewall rule. Firewall address lists can be used in addition to inline addresses that are specified within a particular rule.

Creating an address list

Create an address list to apply to a firewall rule, in order to match IP addresses.
  1. On the Main tab, click Security > Network Firewall > Address Lists .
    The Address Lists screen opens.
  2. Click Create to create a new address list.
  3. In the Name and Description fields, type the name and an optional description.
  4. In the Addresses area, add and remove addresses.
    • To add an IP address, type the address and press Enter.
    • To add an IP address range, type the start and end IP addresses, separated by a dash, and press Enter.
    • To add an existing address list, start typing the name of the address list. A list of items (address lists and geographic locations) will appear. Select the address list and press Enter.
    • To add a geographic location, start typing the name of the geographic location. A list of items (address lists and geographic locations) will appear. Select the geographic location and press Enter.
    • To remove an address, select the address in the Addresses list and click the X.
    Address lists can contain FQDNs, IP addresses, IP address ranges, geographic locations, other address lists, or any combination of these.
  5. Click Finished.
    The list screen and the new items are displayed.

About port lists

A port list is simply a collection of ports saved on the server. A port list can also contain other port lists. You can define one or more port lists, and you can specify one or more port lists in a firewall rule. Firewall port lists can be used in addition to inline ports, specified within a particular firewall rule or policy.

Creating a port list

Create a port list to apply to a firewall rule, in order to match ports.
  1. On the Main tab, click Security > Network Firewall > Port Lists .
    The Port Lists screen opens.
  2. Click Create to create a new port list.
  3. In the Name and Description fields, type the name and an optional description.
  4. In the Ports area, add and remove ports.
    • To add a single port, type the port number and press the Enter key.
    • To add a contiguous range of ports, type the first port number, a dash, and the last port number, then press the Enter key.
    • To add an existing port list to the current port list, start typing the name of the port list. A list of port lists that match the typed input appear on a list in the field. Select the port list you want to add, then press the Enter key.
    • To remove a port, port range, or port list, select the entryin the Ports area and click the small X to the right of the entry.
  5. Click Finished.
    The list screen and the new items are displayed.