Manual Chapter : Managing Firewall Contexts

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About managing firewall contexts

In BIG-IQ® Network Security, a firewall context is a BIG-IP® network object to which a firewall policy can be attached. In BIG-IQ Network Security, these network objects are called Global (global), Route Domain (rd), Virtual Server (vip), Self IP (sip), or Management (mgmt).

Firewall contexts provide policy-based access control to and from address and port pairs, inside and outside the network. Using a combination of contexts, a firewall can apply rules in a number of different ways, including at a global level, per virtual server, per route domain, and even for the management port or a self IP address.

Firewall properties include the firewall name, an (optional) description, its partition, its type, and its parent device on the partition in which it resides. Note that an administrative partition is a part of the BIG-IP configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, /Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions on the BIG-IP device. Each partition corresponds to a folder (with the same name) to hold its configuration objects.

You can use the Policy Editor to view and configure enforced policies or rules whose actions (accept, accept decisively, drop, reject) are in force. You are restricted to a single, enforced policy on any specific firewall. You can edit all other firewall shared objects only from within the object's screen.

Note: Firewall policies can be enforced in one firewall context and staged in another.

Considerations when restoring snapshots of BIG-IP devices containing firewall inline rules

If you restore a snapshot of a version 11.5.1 or earlier BIG-IP device that contains inline firewall rules onto a BIG-IP version 11.5.2 or later or BIG-IP version 11.6 or later device, the inline rules are improperly restored to the later version. The inline rules are improperly restored because these later BIG-IP device versions do not support the inline firewall rules that were part of the version 11.5.1 or earlier BIG-IP device snapshot.

When you upgrade a version 11.5.1 or earlier BIG-IP device, the BIG-IP device automatically moves any inline rules into a system-defined policy. The restoration of the version 11.5.1 or earlier snapshot incorrectly writes inline rules back to the configuration of the later version of the BIG-IP device.

To restore a snapshot of a version 11.5.1or earlier BIG-IP device onto a later version BIG-IP device, you must again reimport the upgraded devices after restoring the snapshot. This updates the BIG-IQ system to contain the current policy based firewall configurations and removes the inline rules that were added to the configuration by the restoration of the snapshot for those 11.5.2 or later or 11.6.0 or later devices.

About BIG-IP system firewall contexts

A firewall context is the category of object to which a rule applies. In this case, category refers to Global, Route Domain, Virtual Server, Self IP, or Management. Rules can be viewed and reorganized separately within each context.

It is possible to have multiple layers of firewalls on a single BIG-IP® device. These layers constitute the firewall hierarchy. Within the firewall hierarchy, rules progress from Global, to Route Domain, and then to either Virtual Server or Self IP.

If a packet matches a firewall rule within a given context, that action is applied to the packet, and the packet then moves to the next context for further processing. If the packet is accepted, it travels on to the next context. If the packet is accepted decisively, it goes directly to its destination. If the packet is dropped or rejected, all processing stops for that packet; it travels no further.

On each firewall, you can have rules, rule lists, or policies that are enforced or staged. Rules, rule lists, or policies are processed in order within their context and within the context hierarchy.

Rules for the Management interface are processed separately and not as part of the context hierarchy.

About global firewalls

A global firewall is an IP packet filter that resides on a global firewall on a BIG-IP® device. Except for packets traveling to the management firewall, it is the first firewall that an IP packet encounters. Any packet reaching a BIG-IP device must pass through the global firewall first.

When you create firewall rules or policies, you can select one of several contexts. Global is one of the contexts you can select. Rules for each context form their own list, and are processed both in the context hierarchy and in the order within each context list.

About route domain firewalls

A route domain firewall is an IP packet filter that resides on a route domain firewall on a BIG-IP® device.

A route domain is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, pool members, and firewalls.

When a route domain firewall is configured to apply to one route domain, it means that any IP packet that passes through the route domain is assessed and possibly filtered out by the configured firewall.

When you create firewall rules or policies, you can select one of several contexts. Route domain is one of the contexts you can select. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Route domain rules apply to a specific route domain configured on the server. Route domain rules are checked after global rules. Even if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context.

Route domain rules are collected in the Route Domain context. Route domain rules apply to a specific route domain defined on the server. Route domain rules are checked after global rules.

About virtual server firewalls

A virtual server firewall is an IP packet filter configured on the virtual server and, therefore, designated for client-side traffic. Any IP packet that passes through the virtual server IP address is assessed and possibly filtered out by this firewall.

When you create firewall rules or policies, you can select one of several contexts, including virtual server. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

Virtual server rules apply to the selected virtual server only. Virtual server rules are checked after route domain rules.

About self IP firewalls

A self IP firewall is an IP packet filter configured on the self IP address, a firewall designated for server-side traffic. Any IP packet that passes through the self IP is assessed and possibly filtered out by this firewall.

A self IP address is an IP address on a BIG-IP® system that is associated with a VLAN and used to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space; that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address.

A static self IP address is an IP address that is assigned to the system and does not migrate between BIG-IP systems. By default, the self IP addresses created with the Configuration utility are static self IP addresses. One self IP address must be defined for each VLAN.

When you create firewall rules or policies, you can select one of several contexts, including self IP. Rules for each context form their own list and are processed both in the context hierarchy and in the order within each context list.

The self IP context collects firewall rules that apply to the self IP address on the BIG-IP device. Self IP rules are checked after route domain rules.

About management IP firewalls

A management IP firewall is an IP packet filter configured on the management IP address and, therefore, designated to examine management traffic. Any IP packet that passes through the management IP address is assessed and possibly filtered out by this firewall.

The network software compares IP packets to the criteria specified in management firewall rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match a rule, then the software compares the packet against the next rule. If a packet does not match any rule, the packet is accepted.

Management IP firewalls collect firewall rules that apply to the management port on the BIG-IP® device. Management port firewalls are outside the firewall context hierarchy and management port rules are checked independently of other rules.

Note: Policies and rule lists are not permitted on management IP firewalls. In addition, the management IP firewall context does not support the use of iRules® or geolocation in rules.

About firewall policy types

In BIG-IQ® Network Security, you can add the following firewall policy types:

Enforced
An enforced firewall policy modifies network traffic based on a set of firewall rules.
Staged
A staged firewall policy allows you to evaluate the effect a policy has on traffic without actually modifying the traffic based on the firewall rules.

Firewall properties

The properties of a firewall context are shown when you select a context type from the list on the left, such as Global or Virtual Server. Some fields are for information purposes only and cannot be edited. Not all columns are shown for each context.

Property Description
Name Name as shown in the system interface: global for the global firewall; management-ip for the management IP firewall; 0 for route domain; the IP address for self-ip; and the firewall name for a virtual server.
Partition Usually, Common. An administrative partition is a part of the BIG-IP® configuration that is accessible only to a particular group of administrators. The default partition for all BIG-IP configurations, Common, is accessible to all administrators. A sufficiently-privileged administrator can make additional partitions on the BIG-IP device. Each partition corresponds to a folder (with the same name, for instance, /Common) to hold its configuration objects.
Firewall Type One of the following: global (global); route-domain (rd); virtual server (vip); self-ip (self-ip); or management-ip (mgmt).
IP Address For Virtual server (VIP), self IP, and Management firewall types only; this is an informational, read-only field displaying the IP address retrieved (if available) during DMA.
Description Optional description for the firewall.
Route Domain ID Used for Route Domain firewall types only; displays a number that identifies the route domain.
Device Name of the BIG-IP® device where the firewall resides.
Enforced Policy Name of the enforced policy assigned to the firewall context. An enforced firewall policy modifies network traffic based on a set of firewall rules. This property is not used for the Management firewall type.
Staged Policy Name of the staged policy assigned to the firewall context. A staged firewall policy allows you to evaluate the effect a policy has on traffic without actually modifying the traffic based on the firewall rules. This property is not used for the Management firewall type.
Service Policy Name of the service policy assigned to the firewall context. This property is not used for the Management firewall type.
NAT Policy Name of the NAT policy assigned to the firewall context.

Adding an enforced firewall policy

You can view and configure firewall policies or rules to force or refine actions (accept, accept decisively, drop, reject) using the Enforced settings. You are restricted to a single, enforced firewall policy on any specific firewall context.
Note: Policies can be enforced in one firewall context and staged in another.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Contexts in the list on the left to expand the contents and click one of the context types.
  4. Click the name of the context to edit. The context properties are displayed.
  5. Click Add Enforced Firewall Policy in the Enforced Firewall Policy row and in the resulting popup, click the policy to use and click Add. Alternatively, drag-and-drop a policy from those listed in the Policy Editor toolbox at the bottom of the page to the Enforced Firewall Policy row.
    Adding an enforced policy results in the removal of all existing rules.
  6. Click the name of the enforced policy to display the policy properties.
  7. Click Create Rule to add a rule by editing the fields in the template.
    You can also add rules by right-clicking in the last rule in the table and selecting Add rule before or Add rule after. If you right-click after the bottom row in the Rules table, you can select the option Add rule. You can then reorder rules by dragging and dropping them until they are in the correct order for execution. You can also reorder rules by right-clicking in the row and selecting among the ordering options.
  8. Add a rule list by clicking Add Rule List.
  9. In the popup screen that opens, select the name of the rule list that you want to add and then click Add.
  10. Click Save to save changes.
    To clear a lock without saving changes, click the Unlock link.
  11. When finished, click Save & Close to save your edits, clear the lock, and exit.

Adding a staged firewall policy

You can stage firewall policies using the Staged settings. Actions (accept, accept decisively, drop, reject) have no effect on network traffic. Rather, they are logged. This gives you the ability to stage a firewall policy first and examine the logs to determine how the firewall policy has affected traffic. Then, you can determine the timing for turning the firewall policy from staged to enforced.

Rule and rule lists are not allowed on staged firewall policies.

Note: A firewall policy can be staged in one context and enforced in another.
  1. Log in to BIG-IQ® Network Security.
  2. Click Policy Editor.
  3. Click Contexts in the list on the left to expand the contents and click one of the context types.
  4. Click the name of the context to edit. The context properties are displayed.
  5. Click Add Staged Firewall Policy in the Staged Firewall Policy row and in the resulting popup, click the policy to use and click Add. Alternatively, drag-and-drop a policy from those listed in the Policy Editor toolbox at the bottom of the page to the Staged Firewall Policy row.
    Adding an enforced policy results in the removal of all existing rules and rule lists.
  6. Click Save to save changes.
    To clear a lock without saving changes, click the Unlock link.
  7. When finished, click Save & Close to save your edits, clear the lock, and exit.