F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. F5 BIG-IQ Centralized Management: Security
  5. Managing Service Timer and Port Misuse Policies
Manual Chapter : Managing Service Timer and Port Misuse Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About service, timer, and port misuse policies

A service policy allows you to associate network idle timers (timer policies) or port misuse policies on firewall contexts and rules.

You can discover a service policy on a BIG-IP® device version 12.0, or later. Or you can create one on a BIG-IQ® Centralized Management system using the Network Security policy editor, and then deploy it to a BIG-IP device version 12.0, or later. You can apply a service policy to the global, self IP address, or route domain context. You can also add it to a rule in a rule list, or to a rule on a security policy.

A service policy can contain timer policies or port misuse policies, or both. You create service policies, timer policies, and port misuse policies separately, and then you add the timer policies or port misuse policies to the service policies.

  • You use a timer policy, also known as a firewall idle timer, to configure timer rules that can be associated with firewall contexts and rules. You can discover a timer policy on a BIG-IP device version 12.0, or later, or create one on a BIG-IQ Centralized Management system using the Network Security policy editor and then deploy it to a BIG-IP device version 12.0, or later.
  • A port misuse policy allows you to configure a firewall context or rule to detect and drop network connections that are not using a required application or service for a given port. With a port misuse policy, you can configure ports to allow services, and drop all traffic that does not match the specified service type. You can configure port and service associations without regard for customary port and service pairings. You can discover a port misuse policy on a BIG-IP device version 12.1, or later, or create one on a BIG-IQ Centralized Management system using the Network Security policy editor, and then deploy it to a BIG-IP device version 12.1, or later.

Create a timer policy

You create a timer policy containing timer rules to add to a service policy that can be applied to the global, self IP address, or route domain contexts.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Timer Policies.
  4. Click Create.
    The Timer Policies - New Item screen opens.
  5. In the Name field, type a name for the timer policy.
  6. In the Description field, type an optional description for the timer policy.
  7. If needed, change the default Common partition in the Partition field.
  8. To add timer rules, click the Timer Rules tab and click Create Timer Rule.
    A new rule is displayed with default name and values.
  9. Click the name of the new rule to enable editing for the rule fields.
  10. In the Name field, you may specify a more meaningful name than the default.
  11. From the Protocol list, select the protocol to be used. Select all-other as the protocol to have the rule apply to all other protocols not specified in another timer rule in the policy.
  12. From the Destination Ports list, specify the one or more ports to use, if necessary. The default is to use any port.
    • Select Port to specify an individual port: type the port in the field provided, and then click +. You can enter multiple individual ports, one at a time.

      Enter 0 as the port value to specify all other ports that have not been specified using Port or Port Range.

    • Select Port Range to specify a range of ports: type the beginning port in the first field, and the ending port of the range in the second field provided, and then click +. You can enter multiple ports ranges, one at a time.
    • Select All Other to specify all other ports that have not been specified using Port or Port Range.
  13. From the Idle Timeout list, select the timeout option for the selected protocol.
    • Select Specify to specify the timeout for this protocol, in seconds. Type the number of seconds in the field provided.
    • Select Immediate to immediately apply this timeout to the protocol.
    • Select Indefinite to specify that this protocol never times out.
    • Select Unspecified to specify no timeout for the protocol. When this is selected, the system uses the default timeout for the protocol.
  14. Save your changes in one of two ways:
    • Click Save to save the timer policy rule.
    • Click Save & Close to save the timer policy rule and return to the Timer Policies screen.
The timer policy is now configured and can be added to a service policy.
You now need to add the timer policy to a service policy, and apply the service policy to a global, self IP address, or route domain context. You can also add it to a firewall rule on a policy, or in a rule list.

Create a port misuse policy

You create a port misuse policy containing port misuse rules to add to a service policy that can be applied to the global, self IP address, or route domain contexts.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Port Misuse Policies.
  4. Click Create.
    The Port Misuse Policies - New Item screen opens.
  5. Type a name and an optional description for the port misuse policy.
  6. If needed, change the default Common partition in the Partition field.
  7. In the Default Actions row, select the default actions to occur when port misuse is detected. You can select none, one, or both options.
    • Select Drop on Service Mismatch to set a policy default that drops packets when the service does not match the port, as defined in the policy rules.
    • Select Log on Service Mismatch to set a policy default that logs service and port mismatches.
  8. To add port misuse rules, click the Port Misuse Policy Rules tab and click Create Port Misuse Rule.
    The screen displays a new port misuse rule with default name and values.
  9. Click the name of the new rule to enable editing for the rule fields.
  10. In the Name field, you may specify a more meaningful name than the default.
  11. In the Port field, select a port for the port matching rule.
    You can select from a list of commonly used ports, or select Other and specify a port number. The default port number is automatically supplied for the common ports.
  12. In the IP Protocol field, select the IP protocol for the port matching rule.
  13. In the Service field, select the service to use. This setting configures the association between the service and port number. Packets on this port that do not match the specified service type are dropped, if Drop on Service Mismatch is applied to this rule.
    You can specify a service on any port; you are not limited to customary port and service pairings. You can configure any service on any port as a rule in a port misuse policy.
  14. In the Drop on Service Mismatch list, select the drop behavior.
    • Select Yes to drop packets when the service does not match the port.
    • Select No to allow packets when the service does not match the port.
    • Select Use Policy Default to use the default action for packet drops, when the service does not match the port.
  15. In the Log on Service Mismatch list, select the behavior for logging packet drops.
    • Select Yes to log dropped packets when the service does not match the port.
    • Select No to not log packet drops when the service does not match the port.
    • Select Use Policy Default to use the default action for logging packet drops, when the service does not match the port.
  16. Save your changes.
You have configured the port misuse policy.
You now can add the port misuse policy to a service policy, and apply the service policy to a global, self IP address, or route domain context. You can also add it to a firewall rule on a policy, or in a rule list.

Create a service policy

You create a service policy to contain timer policies that can be applied to the global, self IP address, or route domain contexts. Service policies can also be added to a rule in a rule list or a rule on a security policy.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Service Policies.
  4. Click Create.
    The Service Policies - New Item screen opens.
  5. In the Name field type a name for the service policy.
  6. If needed, change the default Common partition in the Partition field.
  7. In the Description field, type an optional description for the service policy.
  8. Select a timer policy from those listed in the Timer Policy list.
    If no timer policy is listed, you need to create one and then assign it to the service policy.
  9. In the Pin Policy to Device(s) area, select the BIG-IP devices to be pinned to this policy, if needed. Pinning a BIG-IP device to a policy enables the policy to be deployed even if it is not associated with a firewall context for that device. You select the BIG-IP device to use by moving it from the Available list to the Selected list using the arrow buttons. You can filter the list of available BIG-IP devices using the filter field at the top of the Available list. Moving a BIG-IP device that is part of a cluster to the Selected list will cause the other member of the cluster to move to that list as well.
    If you have a self IP context with a static (non-floating) IP address, you may be required to assign the device depending on you cluster deployment settings. For example, this property must be set for a peer BIG-IP device that is part of a DSC cluster managed by the BIG-IQ Centralized Management system. You may be directed to set this property as a result of an evaluation critical error.
  10. Save your changes.
You have defined the service policy. You can now assign it to a global, self IP address, or route domain context. You can also add it to a rule in a rule list, or a rule on a security policy.

Apply a service policy to a firewall rule

You apply a service policy to a firewall rule to apply timer policies or port misuse policies to traffic that is matched by the firewall rule. The rule can be associated with a rule list or with a firewall security policy.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor.
  4. Display the list of rules from a rule list or from a firewall security policy in the policy editor.
    Option Description
    If the rule is in a rule list: On the left, click Rule Lists, and then click the name of the rule list containing the rule. The rules are listed on the Rules tab.
    If the rule is associated with a policy: On the left, click Firewall Policies, and then click the name of the policy containing the rule. The rules are listed on the Rules & Rule Lists tab.
  5. To make it editable, click the name of the rule to which you want to add the service policy.
  6. Add the service policy to the rule.
    Option Description
    Add the service policy by typing. Type the name of the service policy in the Service Policy column for the rule. The system completes name of the service policy once you begin typing the name.
    Add the service policy by drag and drop. In the Shared Resources area, select Service Policies, and then drag the service policy from that list and drop it into the Service Policy column for the rule.
  7. Save your changes.
The service policy is added to the rule.

Apply a service policy to a global context

You apply a service policy to a global firewall context to use a timer or port misuse policy with that context.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then from the list on the left, click Global .
  4. Click the name of the global context to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then dragging one of the displayed service policies and dropping it onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes.
The service policy is now associated with the global context.

Apply a service policy to a route domain context

You apply a service policy to a route domain firewall context in order to use a timer policy.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor and then Route Domain from the list on the left.
    If the Route Domain context is not displayed, click Contexts in the list to expand the list of contexts and display it.
  4. Click the name of the route domain to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then dragging one of the displayed service policies onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes.
The service policy is now associated with the route domain context.

Apply a service policy to a self IP address context

You apply a service policy to a self IP address firewall context so you can use a timer policy.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Self IP.
  4. Click the name of the self IP address to open it for editing.
  5. Add the service policy to the Service Policy row:
    1. Click Add Service Policy.
    2. From the popup screen select the service policy to add.
    3. Click Select.
    You can also add a service policy by selecting Service Policies in the Shared Resources list, and then drag one of the displayed service policies and drop it onto the Service Policy row. To remove a service policy, click the X to the right of the service policy name in the Service Policy row.
  6. Save your changes.
The service policy is now associated with the self IP address context.

Delete a timer policy

You can delete obsolete timer policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Timer Policies.
  4. Select the check box to the left of any timer policy that you want to remove.
  5. Click Delete.
  6. Confirm that you want to remove the timer policy by clicking Delete in the confirmation dialog box.
The system removes the selected timer policies.

Delete a port misuse policy

You can delete obsolete port misuse policies that are no longer used by a service policy to avoid clutter in the user interface.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left, click Port Misuse Policies.
  4. Select the check box to the left of any port misuse policy that you want to remove.
  5. Click Delete.
  6. Confirm that you want to remove the port misuse policy by clicking Delete in the confirmation dialog box.
The system removes the selected port misuse policy.

Delete a service policy

You should delete service policies that are no longer used, to simplify your view.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Policy Editor, and then in the list on the left click Service Policies.
  4. Select the check box to the left of any service policy you want to remove.
  5. Click Delete.
  6. Confirm that you want to remove the service policy by clicking Delete in the confirmation dialog box.
The system removes the selected service policies.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information