Manual Chapter : Managing Network Security Objects

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About common objects in Network Security

In Network Security, the common objects that you can view and manage include:

Firewall Contexts
Category of object to which a rule applies. In this case, category refers to objects such as Global, Route Domain, Self IP, Virtual Server, or Management. Within each context, rules can be viewed and reorganized separately. It is possible to have multiple layers of firewalls on a single BIG-IP® device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP.
Firewall policies
Set of rules and/or rule lists that specify traffic-handling actions and define the parameters for filtering network traffic. You can assign rule lists or a policy to a firewall. Firewall policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.
Rule lists
Containers for rules; rules are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list.
Address lists
Collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations and subnets. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses or address ranges in a given address list to either the source or the destination IP address, depending on how the list is applied. Firewall rules can also compare all geolocations in a given address list to either the source or the destination location, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Port lists
Collections of ports and port ranges. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. As with address lists, firewall rules compare all ports and port ranges in a given port list to either the source or the destination port, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Rule schedules
Rule schedules are assigned to firewall rules, rule lists, and policies to control when rules, rule lists, and firewall policies are active on the firewall. You can hover over schedule names to see the name displayed in a tooltip. This feature is useful if the schedule name is longer than the screen.

Adding objects

You add firewall policy objects using the policy editor.
Note: Address lists and port lists are containers and must contain at least one entry. You cannot create an empty list; you cannot remove an entry from a list if it is the only entry.
  1. Click the type of object you want to add in the navigation list to the left, then click Create at the top of the object pane on the right.
  2. In the opened screen, populate the property fields as required.
    • All fields that are outlined in gold are required.
    • The Partition field is outlined in gold, and although it is pre-populated with Common, it is an editable field.
    • You can press Tab to advance from field to field.
  3. When you are finished, click Save to save your changes, or click Save & Close to save and close the current window.

Viewing and editing objects

You use the BIG-IQ® Network Security policy editor to select firewall policy objects for deeper inspection or edit.
Note: Address lists and port lists are containers, and must contain at least one entry. You cannot create an empty list; you cannot remove an entry in a list if it is the only entry.
  1. Navigate to the object you want to edit.
  2. Click the name of the object that you want to edit.
  3. Edit the properties and other areas as required.
    You can use the keyboard Tab to advance from field to field.
  4. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Adding objects to firewall contexts and rules

BIG-IQ® Network Security enables you to add objects to firewall contexts and rules (used in rule lists and firewall policies).
  1. Navigate to the context, rule list or firewall policy to which you want to add an object.
    • If you are editing a firewall context, click the name of the context to add to, click the name of the enforced firewall policy to add to on the Properties tab, and select Rule & Rule Lists so that the rules for enforced policies are visible.
    • If you are editing a rule list, click the name of the rule list to add to, and select Rules so that the rules are visible.
    • If you are editing a firewall policy, click the name of the policy to add to, and select Rule & Rule Lists so that the rules are visible.
  2. Click on an existing rule, click Create Rule to create a new rule, or click Add Rule List to add a rule list as needed.
  3. In the toolbox at the bottom, select the type of object you want to add from the drop down list. The objects matching that type are listed.
  4. Drag the object you want onto the indicated area.
  5. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Renaming objects

BIG-IQ® Network Security does not support renaming an object.

As an alternative to renaming an object, you can create a new object and replace the original object where it is in use.

  1. Create the new object. Consider cloning the object as the fastest and most reliable way to create a new object with the same content as the original but with a new name.
  2. Locate every instance of the original object by hovering over the object, right-clicking, and selecting Filter 'related to'.
    A count is added to the objects in the navigation list on the left, indicating the number of times the object is used in each object.
  3. Navigate to each instance where the original object is in use, and replace it with a reference to the newly-created object.
  4. Remove the original object.
    Clear the filter by clicking the X to the right of the filter text in the field at the top of the navigation list under the filter entry box.
    Note: You cannot remove an object that is still in use.

Cloning objects

BIG-IQ® Network Security enables you to clone objects to create a copy of that object that is slightly different from the original. You may have an object that serves as a template. You can clone that object, edit it, and then use it in different ways.
  1. Navigate to the type of object you want to clone.
  2. Click the checkbox to the left of object that you want to clone.
  3. Click Clone.
    The system displays a copy of the object with the original object's name with -CLONE appended to the name and a blank Description field.
  4. In the opened screen, populate the property fields as required.
    • All fields that are outlined in gold are required.
    • The Partition field is outlined in gold, and although it is pre-populated with Common, it is an editable field.
    • You can press Tab to advance from field to field.
  5. When you are finished, click Save to save your changes, or click Save & Close to save and close the current window.
The cloned object is added to the existing list in the appropriate section.

Removing objects

From the BIG-IQ® Network Security policy editor, you can remove shared objects.
  1. Navigate to the type of object you want to remove.
  2. Click the checkbox to the left of object that you want to remove and click Delete.
    A popup information screen opens.
  3. Respond to the popup screen prompt:
    • If the object is being used by another object, policy, rule, or rule list, you cannot remove it; click Cancel to not perform the removal.
    • If the object can be removed, click Delete to confirm the removal.

Filtering content in firewall policies

There are several filter fields you can use to select the data displayed for firewall objects. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.

  1. Go to Configuration > SECURITY > Network Security .
  2. Edit one of the firewall policy objects, such as the firewall policy.
  3. In the appropriate filter text field, type the text you want to filter on, and press Enter.
    Option Description
    Filter field at top right of screen Use the filter field at the right top of the screen to search only the displayed objects for a match to the filter. You select filter options by clicking the arrow to the left of the filter field, and then selecting an option from each option group. The bottom option group in the list controls whether the filter text must be a partial match or an exact match.
    • Contains indicates that the filter text matches any object that contains it. This is the default. When searching for times or dates, such as those in a schedule, a partial time, such as September, may be specified.
    • Exact indicates that the filter text matches any object that exactly matches it. This match is not case-sensitive. When searching for times or dates, such as those in a schedule, the complete time and date must be specified.

    The top options group in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address, Name or Port), the default is All.

    • All indicates that all objects should be filtered using the filter text.
    • IP Address indicates that only IP address objects should be filtered using the filter text. A complete IPV4 or IPV6 address must be entered as the filter text.
      • When used with the Contains option, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text, or an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
      • When used with the Exact option, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text only.
    • Name indicates that only object names should be filtered using the filter text.
    • Port indicates that only port objects should be filtered using the filter text. A complete port number must be entered as the filter text.
      • When used with the Contains option, the filter text is matched by a port number that is the same as the filter text, or a port number range that includes the filter text.
      • When used with the Exact option, the filter text is matched by a port number that is the same as the filter text only.

    If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.

    To remove the filter, click the X to the right of the filter expression area near the filter field.

    Filter field in Toolbox at bottom Use the filter field in the upper right of the toolbox (displayed at the bottom of the page when active) to search the shared objects list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click the X to the right of the filter expression area near the filter field.

    When specifying a date in a filter, only these date and time formats are supported:

    • Sep 1, 2015 2:05:04 PM
    • Sep 1, 2015 2:05:04 AM
    • Sep 1, 2015 14:05:04
    • Sep 1, 2015 2:05
    • Sep 1, 2015
    • Sep 1 2015
    • Sep 1
    • September 1
    • 2015-09-01T14:05:04
    • 2015-09-01T14:05
    • 2015-09-01 2015-09
    • 2015
    You clear filter fields by clicking the X to the right of the filter field.
Objects are filtered on the text entered and a count for each appears to the right of each object type.
Note: Filter matches are only displayed for an object and its containing object. For example, when a filter matches a rule name in a rule list within a policy, only the rule and rule list will be shown as matching, but the policy will not.

About address lists

Address lists are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations and subnets saved on a server and available for use in firewall rules, rule lists and firewall policies

Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. Firewall rules can also compare all geolocations in a given address list to either the source or the destination location, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.

You can see the content of an address list by hovering over its name in the policy editor. If an address list is nested, the tooltip displayed by the hovering will only show the first-level contents. To view address list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting an address list inside an address list, check to be sure this option is supported on each BIG-IP® device where you intend to deploy the address list.

Address lists are containers and must contain at least one entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.

You can add geolocation awareness to address lists, which enables you to specify source or destination IP addresses by geographic location. Thus, you can specify firewall behavior for traffic to/from entire geographic regions by defining rules based on where the source or destination system is, rather than on its IP address (source or destination). BIG-IQ® Network Security supports specifying geolocation in rules and address lists. The geolocation is validated when the rule or address list is saved.

Note: If you use a geolocation spec that is valid on the BIG-IQ Network Security system, but not supported on a particular BIG-IP® device because the device has a different geolocation database, it causes a deployment failure for that device. Importing a BIG-IP device with an invalid geolocation spec causes a discovery failure for that device.

Adding address types to address lists

BIG-IQ® Network Security enables you to add addresses, address ranges, nested address lists, or geolocation to an existing address list.
  1. Navigate to the Address Lists area. Policy Editor > Address Lists
  2. Click the name of the address list that you want to edit.
  3. Click the Addresses tab and then click the + icon to the right of an address.
    A new row is added to the list of addresses under that row.
  4. From the list under the Type column, select Address, Address Range, Address List, Domain Name or Country/Region.
    • If you select Address List, in the Addresses field type the first letter of an existing address list. A list of existing address lists appears from which you can select an address.
    • If you select Address, in the Addresses field supply the address.
    • If you select Address Range, in the Addresses field supply the beginning range address in the top field and the ending range address in the bottom field.
    • If you select Domain Name, in the Addresses field supply the domain name.
    • If you select Country/Region, in the Addresses field select a country from the top list and optionally a region in that country from the bottom list.
  5. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Removing entries from address lists

BIG-IQ® Network Security allows you to remove entries from address lists.
  1. Navigate to the Address Lists area. Policy Editor > Address Lists
  2. Click the name of the address list that you want to edit.
  3. Click the X icon to the right of the address list entry to remove.
    The entry is highlighted in red and marked to be deleted. The entry will be deleted when you click Save or Save & Close.
  4. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Address list properties and addresses

Property Description
Name Unique, user-provided name for the address list. The text field accepts up to and including 255 characters, including the partition name.
Description Optional description of the address list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning address lists.
Type After locking the address list for editing, select one of the following:
  • Address. Then, type the address in the Addresses field. You can also enter an address range in this field by typing a range in the format: n.n.n.n-n.n.n.n.
  • Address Range. The Addresses field becomes two fields separated by "to." Type the beginning address and ending addresses in these fields as appropriate.
  • Address List. When you type the first letter of a saved list, the Addresses field populates with a picker list that displays saved address lists. You then select from the list.
  • Country/Region. From the first Addresses list, select a country. Once you select a country, the second list automatically updates with all available regions for that country. Optionally, select a region from the second list. The wildcard, Unknown, is supported. Note that geolocation is not supported on the management IP context.
Addresses IPv4 or IPv6 address, address range, or nested address list. There are many ways an IPv4 or IPv6 address or address range can be constructed. The following methods and examples are not meant to be exhaustive.
  • IPv4 format: a.b.c.d[/prefix]. For example: 60.63.10.10.
  • IPv6 format: a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329.
  • IPv6 abbreviated form is supported. You can shorten IPv6 addresses as defined in RFC 4291.
  • You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. Example IPv6 subnet: 2001:db8:a::/64.
  • You can append a route domain to an address using the format %RouteDomainID/Mask. For example: 12.2.0.0%44/16.
Description Optional text field used to describe the address, address range, or nested address list.

About port lists

Port lists are collections of ports, port ranges, or port lists or nested port lists saved on a server and available for use in firewall rules, rule lists, and firewall policies.

Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet. Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.

You can see the content of a port list by hovering over its name in the policy editor. If a port list is nested, the tooltip displayed will only show the first-level contents. To view port list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Note: Before nesting a port list inside a port list, check to be sure this option is supported on the BIG-IP® device where you intend to deploy the port list.

Adding port types to port lists

BIG-IQ® Network Security enables you to add ports, port ranges, or nested port lists to an existing port list.
  1. Navigate to the Port Lists area. Policy Editor > Port Lists
  2. Click the name of the port list that you want to edit.
  3. Click the + icon to the right of a port.
    A new row is added to the Ports table under that row.
  4. From the Type list, select Port, Port Range, or Port List.
    If you select Port List, and type the first letter of an existing port list in the Ports field, a list of existing port lists appears from which you can select a port list from the list.
  5. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Removing entries from port lists

BIG-IQ® Network Security enables you to remove entries from port lists.
  1. Click the name of the port list from which you want to remove an entry. Policy Editor > Port Lists
  2. Click the name of the port list from which to remove the entry.
  3. Click the X icon to the right of the port list entry to remove.
    The entry is highlighted in red and marked to be deleted. The entry will be deleted when you click Save or Save & Close.
  4. When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.

Port list properties and ports

Property Description
Name Unique name used to identify the port list.
Description Optional description for the port list.
Partition Field pre-populated with Common (the default). This field is editable when creating or cloning port lists.
Type Select one of the following:
  • Port. Then, enter the port in the Ports field. You can also enter a port range in this field by entering a range in the format: n-n. Valid port numbers are 1-65535.
  • Port range. The Ports field becomes two fields separated by "to." Type the beginning port and ending port in these fields as appropriate.
  • Port list. When you type the first letter of a saved list, the Ports field is populated with a picker list that displays saved port lists. You then select from the list.
Ports Port, port range, or port list. Valid port numbers are 1-65535.
Description Optional text field used to describe the port, port range, or nested port list.

About rule schedules

The Rule Schedules screen displays the defined rule schedules. By default, all rules, rule lists, and policies run continuously. Rule schedules are continuously active if created without any scheduling specifics (such as the hour that the rule schedule starts).

You apply a rule schedule to a rule to make that rule active only when needed.

Rule schedule properties

This table lists and describes the properties required when configuring firewall rule schedules.

Property Description
Name Specifies a unique, user-provided name for the rule schedule.
Description Specifies an optional description for the rule schedule.
Partition Displays informational, read-only name of the partition associated with the rule schedule.
Date Range Specifies the date and time when the rule can be active. Select one of the options:
Indefinite
Specifies that the rule schedule start immediately and run indefinitely. The rule schedule remains active until you change the date range or delete the rule schedule. This is the default.
Until...
Specifies that the rule schedule start immediately and run until a specified end date. The rule schedule is immediately activated and not disabled until the end date and time is reached. Click in the field to choose an end date from a popup calendar. You can specify an end time in the same popup screen.
After...
Specifies that the rule schedule start after the specified date and run indefinitely. The rule schedule is activated starting on the selected date and runs until you change the start date or delete the rule schedule. Click in the field to choose a start date from a popup calendar. You can specify a start time in the same popup.
Between...
Specifies that the rule schedule start on the specified date and run until the specified end date. Click in the fields to choose the start and end dates from a popup calendar. You can specify start and end times in the same popup.
Note: Using the system interface and popup screens to specify the start and end dates and times is the preferred method. However, if you do specify dates manually, use the format: MMM DD,YYYY for the date.
Time Span Specifies the time, within the time defined by the Date Range, that the rule schedule can be active.
  • All Day specifies that the rule schedule runs all day. This is the default.
  • Between... specifies that the rule schedule starts at the specified time and runs until the specified end time. Click in the fields to choose the start and end times.
Day Specifies the days the rule schedule is active. Select check boxes for all days that apply. You must select at least one day per week.