Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
About rules and rule lists
Network firewalls use rules and rule lists to specify traffic-handling actions. The network software compares IP packets to the criteria specified in rules. If a packet matches the criteria, then the system takes the action specified by the rule. If a packet does not match any rule from the list, the software accepts the packet or passes it to the next rule or rule list. For example, the system compares the packet to self IP rules if the packet is destined for a network associated with a self IP address that has firewall rules defined.
Rule lists are containers for rules, which are run in the order they appear in their assigned rule list. A rule list can contain thousands of ordered rules, but cannot be nested inside another rule list. You can reorder rules in a given rule list at any time.
Enabling, disabling and scheduling rules and rule lists
Once a rule or a rule list is created, you can set the state of that rule or rule list to enable it, disable it, or schedule when it is enabled. By default, a rule or rule list is enabled. Settings on a rule list take precedence over those on a rule. For example, if a rule has a state of enabled, but is contained within a rule list that has a state of disabled, the rule used in that rule list will be disabled. The process differs for setting the state of a rule and setting the state of a rule list.
- To set the state for a rule, edit the rule and choose enabled, disabled or scheduled in the State column.
- To set the state for a rule list, edit the rule list, and right click the rule list name and select Edit Rule List Reference. The state can now be set by choosing enabled, disabled or scheduled in the State column.
Creating rules
Reorder rules in rule lists
Removing rules
-
You remove a rule based on the object that you remove it from:
Option Description From a rule list In the left pane, expand Rules Lists and click the name of the rule list containing the rule that you want to delete. This opens the Rule List frame that provides access to Properties and Rules options. From a firewall context In the left pane, expand Contexts, click the name of the context containing the rule that you want to delete. This opens the Properties frame which contains the Enforced Policy row and the Staged Policy row, either of which may contain a policy. Click the policy name containing the rule to delete and then click Rules & Rule Lists. From a policy In the left pane, expand Policies, click the name of the policy containing the rule that you want to delete. The Policy frame opens and provides access to Properties and Rules & Rule Lists options. Select Rules & Rule Lists. - Hover over the row containing the rule, and right-click.
- Select Delete rule and, if prompted, confirm the deletion.
- Click Save to save your changes.
Creating and adding rule lists
Editing rule lists
Clearing fields in rules
- Log in to BIG-IQ® Network Security.
- Click Policy Editor.
- Expand Rule Lists and click the name of a rule list that you want to edit.
- On the left, click Rules to ensure that it is selected.
- Click the name of the rule containing the fields whose contents you want to remove.
-
Not all fields can be cleared, but you can remove the contents of these fields
as follows:
Option Description Address (source or destination) Click the X to the right of the field. Port (source or destination) Click the X to the right of the field. VLAN Click the X to the right of the field. iRule Click the X to the right of the field. Description Click the X to the right of the field. - Click Save to save your changes.
- When you are finished, click Save & Close to save your edits, clear the lock, and exit the panel.
Cloning rule lists
Removing rule lists
Rule properties
This table describes the properties required when you are configuring network firewall rules.
Property | Description |
---|---|
ID | The evaluation order identifier of the rule within the policy. Rules are evaluated from the lowest number to the highest. If a rule is contained within a rule list, it will be numbered with the number of the rule list, with the contained rule numbered after the decimal point. For example, a policy with 3 rules, followed by a rule list containing 2 rules, followed by another rule outside of the rule list, would be numbered as: 1, 2, 3, 4, 4.1, 4.2, 5. In the example, 4 represents the rule list, and 4.1 and 4.2 are the rules within that rule list. |
Name | In a rule list, the unique, user-provided name for the rule. Alternatively, in a firewall context or firewall policy, a rule list name, preceded by: Reference_To_ , such as Reference_To_sys_self_allow_all. |
Address (Source or Destination) | An IPv4 or IPv6 source or destination IP address, address range, or address list,
to which the firewall rule applies.
Note: You can specify subnets
using forward slash (/) notation using either IPv4 or IPv6, such as
60.63.10.0/24 or 2001:db8:a::/64.
You can also append a route domain to an address using the format
%RouteDomainID/Mask. For example,
12.2.0.0%44/16.
You can add additional addresses, address ranges, address lists, or countries/regions (Add) and delete addresses, address ranges, address lists, or countries/regions (X). To recover an address that was marked for deletion using X, re-enter the address and click Add. |
Port (Source or Destination) | Specifies source or destination port entries (ports, port ranges, or port lists)
to which the firewall rule applies.
You can add additional ports, port ranges, or port lists (Add) and to delete ports, port ranges, or port lists (X). To recover a port that was marked for deletion using X, re-enter the port and click Add. |
VLAN (Source) | Specifies a VLAN or tunnel from which the packet source originates, to which the rule applies. This VLAN is physically present on the device (Internal, External, or Any). If you specify a VLAN in a rule without also specifying the VLAN's partition, the deployment task will fail when you attempt to deploy that rule to a firewall. Use the format partition/VLAN or /partition/VLAN. For example: Common/external or /Common/external. |
Action | Specifies the action taken when the firewall rule is matched, such as whether it
is accepted or rejected.
|
iRule | Specifies an iRule that is applied to the rule. Optionally, you can enter a
number in the Sampling Rate field to indicate how often to take
a sample.
iRules® use syntax based on the industry-standard Tools Command Language (Tcl). For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules. For more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html. Note that iRules are not supported on the management IP context. |
Protocol | Specifies the IP protocol to compare against the packet. If you select ICMP, or IPv6-ICMP, additional fields open where you can specify Type and Code combinations. If you select Other, only a Type field is displayed. The default type is Any and the default code is Any.
Note: The type and code
combinations are too numerous to document here. For details, consult the F5 Networks
DevCentral site, http://devcentral.f5.com, or the documentation
for the specific BIG-IP® platform.
|
State | Specifies the activity state of the rule, such as whether it is enabled or
disabled.
|
Send to Virtual | Specifies a virtual server to which packets matched by the firewall rule classifiers are routed. When a firewall rule is routed to a virtual server, the firewall rule action is not applied. This option is available only for rules on the global, route domain, or self IP context. |
Service Policy | Specifies a service policy to associate with a rule. A service policy allows you to associate network idle timers or timer policies with firewall contexts and rules. You can add a service policy to a rule by dragging the service policy from the Shared Objects area onto the Service Policy column for the rule. This field is available with BIG-IP devices version 12.0 or higher. |
Log | Specifies whether the firewall software should write a log entry for any packets that match this rule. From the list, select true (log an entry), or false (do not log an entry). |