Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.2.0
About common objects in Network Security
In Network Security, the common objects that you can view and manage include:
- Firewall Contexts
- Category of object to which a rule applies. In this case, category refers to objects such as Global, Route Domain, Self IP, Virtual Server, or Management. Within each context, rules can be viewed and reorganized separately. It is possible to have multiple layers of firewalls on a single BIG-IP® device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP.
- Firewall policies
- Set of rules and/or rule lists that specify traffic-handling actions and define the parameters for filtering network traffic. You can assign rule lists or a policy to a firewall. Firewall policies facilitate the assigning of a common collection of rules consistently across multiple firewalls.
- Rule lists
- Containers for rules; rules are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list.
- Address lists
- Collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations and subnets. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses or address ranges in a given address list to either the source or the destination IP address, depending on how the list is applied. Firewall rules can also compare all geolocations in a given address list to either the source or the destination location, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
- Port lists
- Collections of ports and port ranges. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. As with address lists, firewall rules compare all ports and port ranges in a given port list to either the source or the destination port, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
- Rule schedules
- Rule schedules are assigned to firewall rules, rule lists, and policies to control when rules, rule lists, and firewall policies are active on the firewall. You can hover over schedule names to see the name displayed in a tooltip. This feature is useful if the schedule name is longer than the screen.
Adding objects
Viewing and editing objects
Adding objects to firewall contexts and rules
-
Navigate to the context, rule list or firewall policy to which you want to add
an object.
- If you are editing a firewall context, click the name of the context to add to, click the name of the enforced firewall policy to add to on the Properties tab, and select Rule & Rule Lists so that the rules for enforced policies are visible.
- If you are editing a rule list, click the name of the rule list to add to, and select Rules so that the rules are visible.
- If you are editing a firewall policy, click the name of the policy to add to, and select Rule & Rule Lists so that the rules are visible.
- Click on an existing rule, click Create Rule to create a new rule, or click Add Rule List to add a rule list as needed.
- In the toolbox at the bottom, select the type of object you want to add from the drop down list. The objects matching that type are listed.
- Drag the object you want onto the indicated area.
- When you are finished, click Save to save your edits, or click Save & Close to save and release the lock.
Renaming objects
As an alternative to renaming an object, you can create a new object and replace the original object where it is in use.
Cloning objects
Removing objects
Filtering content in firewall policies
There are several filter fields you can use to select the data displayed for firewall objects. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.
About address lists
Address lists are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations and subnets saved on a server and available for use in firewall rules, rule lists and firewall policies
Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. Firewall rules can also compare all geolocations in a given address list to either the source or the destination location, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
You can see the content of an address list by hovering over its name in the policy editor. If an address list is nested, the tooltip displayed by the hovering will only show the first-level contents. To view address list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.
Address lists are containers and must contain at least one entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.
You can add geolocation awareness to address lists, which enables you to specify source or destination IP addresses by geographic location. Thus, you can specify firewall behavior for traffic to/from entire geographic regions by defining rules based on where the source or destination system is, rather than on its IP address (source or destination). BIG-IQ® Network Security supports specifying geolocation in rules and address lists. The geolocation is validated when the rule or address list is saved.
Adding address types to address lists
Removing entries from address lists
Address list properties and addresses
Property | Description |
---|---|
Name | Unique, user-provided name for the address list. The text field accepts up to and including 255 characters, including the partition name. |
Description | Optional description of the address list. |
Partition | Field pre-populated with Common (the default). This field is editable when creating or cloning address lists. |
Type | After locking the address list for editing, select one of the following:
|
Addresses | IPv4 or IPv6 address, address range, or nested address list. There are many ways
an IPv4 or IPv6 address or address range can be constructed. The following methods and
examples are not meant to be exhaustive.
|
Description | Optional text field used to describe the address, address range, or nested address list. |
About port lists
Port lists are collections of ports, port ranges, or port lists or nested port lists saved on a server and available for use in firewall rules, rule lists, and firewall policies.
Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet. Port lists are containers and must contain at least one entry. You cannot create an empty port list; you cannot remove an entry in a port list if it is the only one.
You can see the content of a port list by hovering over its name in the policy editor. If a port list is nested, the tooltip displayed will only show the first-level contents. To view port list names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.
Adding port types to port lists
Removing entries from port lists
Port list properties and ports
Property | Description |
---|---|
Name | Unique name used to identify the port list. |
Description | Optional description for the port list. |
Partition | Field pre-populated with Common (the default). This field is editable when creating or cloning port lists. |
Type | Select one of the following:
|
Ports | Port, port range, or port list. Valid port numbers are 1-65535. |
Description | Optional text field used to describe the port, port range, or nested port list. |
About rule schedules
The Rule Schedules screen displays the defined rule schedules. By default, all rules, rule lists, and policies run continuously. Rule schedules are continuously active if created without any scheduling specifics (such as the hour that the rule schedule starts).
You apply a rule schedule to a rule to make that rule active only when needed.
Rule schedule properties
This table lists and describes the properties required when configuring firewall rule schedules.