Applies To:
Show Versions
BIG-IQ Centralized Management
- 5.1.0
About service, timer, and port misuse policies
A service policy allows you to associate network idle timers (timer policies) or port misuse policies on firewall contexts and rules.
You can discover a service policy on a BIG-IP® device version 12.0, or later. Or you can create one on a BIG-IQ® Centralized Management system using the Network Security policy editor, and then deploy it to a BIG-IP device version 12.0, or later. You can apply a service policy to the global, self IP address, or route domain context. You can also add it to a rule in a rule list, or to a rule on a security policy.
A service policy can contain timer policies or port misuse policies, or both. You create service policies, timer policies, and port misuse policies separately, and then you add the timer policies or port misuse policies to the service policies.
- You use a timer policy, also known as a firewall idle timer, to configure timer rules that can be associated with firewall contexts and rules. You can discover a timer policy on a BIG-IP device version 12.0, or later, or create one on a BIG-IQ Centralized Management system using the Network Security policy editor and then deploy it to a BIG-IP device version 12.0, or later.
- A port misuse policy allows you to configure a firewall context or rule to detect and drop network connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings. You can discover a port misuse policy on a BIG-IP device version 12.1, or later, or create one on a BIG-IQ Centralized Management system using the Network Security policy editor, and then deploy it to a BIG-IP device version 12.1, or later.
Create a timer policy
Create a port misuse policy
Create a service policy
Apply a service policy to a firewall rule
- Log in to the BIG-IQ® Centralized Management system with your user name and password.
- At the top left of the screen, select Network Security from the BIG-IQ menu.
- Click Policy Editor.
-
Display the list of rules from a rule list or from a firewall security policy
in the policy editor.
Option Description If the rule is in a rule list: On the left, click Rule Lists, and then click the name of the rule list containing the rule. The rules are listed on the Rules tab. If the rule is associated with a policy: On the left, click Firewall Policies, and then click the name of the policy containing the rule. The rules are listed on the Rules & Rule Lists tab. - To make it editable, click the name of the rule to which you want to add the service policy.
-
Add the service policy to the rule.
Option Description Add the service policy by typing. Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name. Add the service policy by drag and drop. In the Shared Resources area, select Service Policies, and then drag the service policy from that list and drop it into the Service Policy column for the rule. - Save your changes.
Apply a service policy to a global context
Apply a service policy to a route domain context
Apply a service policy to a self IP address context
Delete a timer policy
- Log in to the BIG-IQ® Centralized Management system with your user name and password.
- At the top left of the screen, select Network Security from the BIG-IQ menu.
- Click Policy Editor, and then in the list on the left, click Timer Policies.
- Select the check box to the left of any timer policy that you want to remove.
- Click Delete.
- Confirm that you want to remove the timer policy by clicking Delete in the confirmation dialog box.
Delete a port misuse policy
- Log in to the BIG-IQ® Centralized Management system with your user name and password.
- At the top left of the screen, select Network Security from the BIG-IQ menu.
- Click Policy Editor, and then in the list on the left, click Port Misuse Policies.
- Select the check box to the left of any port misuse policy that you want to remove.
- Click Delete.
- Confirm that you want to remove the port misuse policy by clicking Delete in the confirmation dialog box.
Delete a service policy
- Log in to the BIG-IQ® Centralized Management system with your user name and password.
- At the top left of the screen, select Network Security from the BIG-IQ menu.
- Click Policy Editor, and then in the list on the left click Service Policies.
- Select the check box to the left of any service policy you want to remove.
- Click Delete.
- Confirm that you want to remove the service policy by clicking Delete in the confirmation dialog box.