F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Security: Administration
  5. Managing Shared Objects
Manual Chapter : Managing Shared Objects

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.2.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About shared objects

In BIG-IQ Security, the shared objects that you can view and manage include:

Address lists
Collections of IPv4 or IPv6 addresses, address ranges, and subnets. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses or address ranges in a given address list to either the source or the destination IP address, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Port lists
Collections of ports and port ranges. These collections are saved on a server and used by policies, rule lists, and rules to allow or deny access to specific IP addresses in IP packets. As with address lists, firewall rules compare all ports and port ranges in a given port list to either the source or the destination port, depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.
Schedules
Schedules are assigned to firewall rules, rule lists, and policies to control when rules, rule lists, and policies are active on the firewall. In the Shared Objects panel, you can hover over schedule names to see the name displayed in a tooltip. This feature is useful if the schedule name is longer than the panel.

Renaming shared objects

BIG-IQ Security does not support renaming a shared object that is in use (assigned to a firewall, policy, rule list, or rule). When a shared object is in use, its name field is unavailable and its properties cannot be edited.

As an alternative, you can create a new shared object and replace the original shared object where it is in use.

You can rename objects that are not in use.

  1. After creating the new object, use Search to locate where it is in use.
  2. Navigate to each instance where the original shared object is in use and replace it with a reference to the new shared object.
  3. Remove the original shared object.

Duplicating shared objects

  1. Navigate to the shared object you want to duplicate and hover over the name.
  2. When the gear icon appears, click it.
  3. From the expanded panel, click Clone. The system displays a copy of the shared object with blank Name and Description property fields.
  4. Enter a unique name, (optional) description, and any other edits.
  5. When finished, click Save. The cloned shared object is added to the existing list in the Shared Objects panel.

Removing shared objects

  1. Navigate to the shared object you want to remove and hover over the name.
  2. When the gear icon appears, click it.
  3. From the expanded panel, click Remove. If the shared object is being used by another shared object, policy, rule, or rule list, a popup appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup appears confirming the removal. Click OK to confirm.

About address lists

An address list is a collection of IPv4 or IPv6 addresses, adress ranges, or subnets saved on a server and available for use in firewall rules, rule lists, and policies.

Firewall rules refer to address lists to allow or deny access to specific IP addresses in IP packets. Firewall rules compare all addresses from the list to either the source or the destination IP address (in IP packets), depending on how the list is applied. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Address lists are containers and must contain at least one address entry. You cannot create an empty address list.

Note: For address names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Managing address lists

From the BIG-IQ Security GUI Shared Objects panel, you can add, edit, duplicate, or remove address lists. You can also add addresses, address ranges, or address lists to existing address lists, as well as remove addresses or address ranges from existing address lists.

Furthermore, you can add an address list to a firewall by opening the firewall and dragging-and-dropping the address list onto the firewall from the Shared Objects panel.

You can define one or more reusable lists of addresses, and you can select one or more address lists to be included in a firewall rule.

  1. To add address lists, hover in the Address Lists banner and click the + icon. In the expanded panel, populate the property fields as required. All boxes outlined in gold are required. Click Tab to advance from field to field. When you are finished, click Add. Address lists are containers and must contain at least one address entry. You cannot create an empty address list.
  2. To edit address lists, hover over the address list name and then click the gear icon. Click Edit to lock the object. Edit the Address List Properties and the Addresses areas as required. Click Tab to advance from field to field. When finished, click Save.
  3. To duplicate address lists, hover over the address list that you want to duplicate. Click the gear icon. From the expanded Address Lists panel, click Clone. The system displays a copy of the address list with blank Name and Description property fields. Enter a unique name, (optional) description, and any other edits to the address list entries. When finished, click Save. The cloned address list is added to the existing list of address lists.
  4. To remove address lists, hover over the address list name that you want to remove and then click the gear icon. From the expanded Address Lists panel, click Remove. If the address list is being used by another address list, a policy, rule, or rule list, a popup screen appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup screen appears confirming the removal. Click OK to confirm.
  5. To add addresses or address ranges to an address list, hover over the address list name that you want to add to and then click the gear icon. Click Edit to lock the object. Then, click the + icon to the right of an address. A new row is added to the Addresses table. In this new row, you can select Address or Address Range from the drop-down list under the Type column.
  6. To add address lists to firewalls and rules (used in rule lists and policies), navigate to the firewall or rule and lock it for editing. If you are editing a firewall, be sure to select the Enforced tab so that Enforced Firewall Rules are visible. Then, expand the Address Lists panel, select the address list you want to add, and drag-and-drop it onto the firewall or rule.
  7. To remove addresses or address ranges, click the address list name that you want to remove from and then click the gear icon. Next, click the x icon to the right of the address, address range, or address list that you want to remove.

Address list properties

Property Description
Name Text field naming the address list.
Description Optional description of the address list.
Partition Informational, read-only field.
Type Address or address range.
Addresses IPv4 or IPv6 address. The format for an IPv4 address is a.b.c.d[/prefix].

For example: 60.63.10.10

The format for an IPv6 address is a:b:c:d:e:f:g:h[/prefix]. For example: 2001:db7:3f4a:9dd:ca90:ff00:42:8329

IPv6 abbreviated form is supported.

You can shorten IPv6 addresses by eliminating leading zeros from each field. For example, you can shorten 2001:0db7:3f4a:09dd:ca90:ff00:0042:8329 to 2001:db7:3f4a:9dd:ca90:ff00:42:8329.

You can also shorten IPv6 addresses by removing the longest contiguous field of zeros. For example, you can shorten 2001:0:0:0:c34a:0:23ff:678 to 2001::c34a:0:23ff:678. The Traffic Management Shell (tmsh) accepts any valid text representation of IPv6 addresses.

You can specify subnets using forward slash (/) notation; for example: 60.63.10.0/24. An example of an IPv6 subnet follows: 2001:db8:a::/64.

You can specify the route domain as well. For example: 255.255.255.0%/24

Description Optional text field used to describe the address or address range.

About port lists

Port lists are lists of ports or port ranges that can be referred to from firewall rules. Firewall rules refer to port lists to allow or deny access to specific ports in IP packets. They compare a packet's source port and/or destination port with the ports in a port list. If there is a match, the rule takes an action, such as accepting or dropping the packet.

Note: For port names that are longer than the display field, hover over the name to see the full name displayed in the tooltip.

Managing port lists

From the BIG-IQ Security GUI Shared Objects panel, you can add, edit, duplicate, or remove port lists. You can also as add ports, port ranges, or port lists to existing port lists, as well as remove ports, port ranges, or port lists from existing port lists.

Furthermore, you can add a port list to a firewall by opening the firewall and dragging-and-dropping the port list onto the firewall from the Shared Objects panel.

Note: You can define one or more reusable lists of ports, and you can select one or more port lists to be included in a firewall rule.
  1. To add port lists, hover in the Port Lists banner and click the + icon. In the expanded panel, populate Port List Properties and Ports as required. Click Tab to advance from field to field. When finished, click Add. Port lists are containers and must contain at least one port entry. You cannot create an empty port list.
  2. To edit port lists, hover over a port list name and click the gear icon. In the expanded panel, click Edit to lock the object. Edit Port List Properties and Ports as required. Click Tab to advance from field to field. When finished, click Save.
  3. To duplicate port lists, hover over the port list that you want to duplicate, and click the gear icon. In the expanded panel, click Clone. A copy of the port list appears with blank Name and Description fields. Enter a unique name, (optional) description, and any other edits. When finished, click Save. The cloned port list is added to the existing list of port lists in the Shared Objects panel.
  4. To remove port lists, hover over the port list name that you want to remove and then click the gear icon. From the expanded panel, click Remove. A popup screen appears asking you to confirm the removal. Click OK to confirm. If the port list is being used by another port list, a policy, rule, or rule list, an error message appears informing you that you cannot remove shared objects that are in use. Click Close to acknowledge this message and return to the confirmation popup screen. Click Cancel to close the popup screen.
  5. To add ports or port ranges to a port list, click the port list name that you want to add to and then click the gear icon. Click Edit to lock the object. Then, click the + icon to the right of a port. A new row is added to the Ports table. In this new row, you can select Port or Port Range from the drop-down list under the Type column.
  6. To remove ports or port ranges from a port list, click the port list name and then click the gear icon. Next, click the x icon to the right of the port or port range that you want to remove.
  7. To add port lists to firewalls and rules (used in rule lists and policies), navigate to the firewall or rule and lock it for editing. If you are editing a firewall, be sure to select the Enforced tab so that Enforced Firewall Rules are visible. Then, expand the Port Lists panel, select the port list you want to add, and drag-and-drop it onto the firewall or rule.

Port list properties

Property Description
Name Unique name used to identify the port list.
Description Optional description for the port list.
Partition Informational, read-only field.
Type Port or port range.
Ports Port or port range.
Description Optional description for the port list.

About schedules

Schedules are assigned to rules, rule lists, and policies to control when these shared objects are actively evaluated.

By default, all rules, rule lists, and policies are on a continuously active schedule. Schedules are continuously active if created without any scheduling specifics (such as the hour that the schedule starts). If you apply a schedule to a rule, rule list, or policy, you can reduce the time that the rule, rule list, or policy is active.

Managing schedules

From the BIG-IQ Security GUI Shared Objects panel, you can add, edit, duplicate, or remove schedules.

You can also add a schedule to a firewall, policy, or rule by opening the firewall (or policy or rule), locking it for edit, and dragging-and-dropping the schedule onto the rule's State column.

Note: You can define one or more reusable schedules, and you can select one or more schedules to be included in a firewall rule.
  1. To add schedules, hover in the Schedules banner and click the + icon. In the expanded panel, populate the property fields as required. Click Tab to advance from field to field. When you are finished, click Add.
  2. To edit schedules, hover over a schedule name and click the gear icon. From the expanded panel, click Edit to lock the object. Edit the Schedule Properties as required. Click Tab to advance from field to field. When finished, click Save.
  3. To duplicate schedules, hover over the schedule that you want to duplicate and when the gear icon appears, click it. From the expanded panel, click Clone. The system displays a copy of the schedule with a blank Name property field. Enter a unique name and any other edits to the fields. When finished, click Save. The cloned schedule is added to the existing list of schedules in the Shared Objects panel.
  4. To remove schedules, hover over the schedule name that you want to remove and when the gear icon appears, click it. From the expanded panel, click Remove. If the schedule is being used by a policy, rule, or rule list, a popup screen appears informing you that you cannot remove shared objects that are in use. Click OK to acknowledge this message. If the shared object can be removed, a popup screen appears confirming the removal. Click OK to confirm.
  5. To add schedules by drag-and-drop to firewalls, policies, and rules, navigate to the firewall (policy or rule) and lock it for editing. Be sure the Enforced Firewall Rules are visible. Then, expand the Schedules panel, select the schedule you want to add, and drag-and-drop it onto the State column in the rule. When finished, click Save.

Schedule properties

Property Description
Name Unique name used to identify the schedule.
Description Optional description for the schedule.
Partition Informational, read-only field displaying the name of the partition associated with the schedule.
Date Range
Note: Using the GUI to specify the start and end dates and times is the preferred method. However, if you do specify dates manually, use the format: YYYY-MM-DD HH:MM:SS.
 Click the first field to display a calendar popup screen and select a start date. Click the second field to display a calendar and select an end date. You can specify:
Start date and no end date
The equivalent on the BIG-IP system is After, which specifies that the schedule starts after the specified date and runs indefinitely. The schedule is activated starting on the selected date and runs until you change the start date or delete the schedule. Click in the field to choose a start date from a popup calendar. You can specified a start time in the same popup screen.
End date and no start date
The equivalent on the BIG-IP system is Until, which specifies that the schedule starts immediately and runs until a specified end date. The schedule is immediately activated and not disabled until the end date is reached. Click in the field to choose an end date from a popup calendar. You can specified an end time in the same popup screen.
Both a start date and an end date
The equivalent on the BIG-IP system is Between, which specifies that the schedule starts on the specified date and runs until the specified end date. Click in the fields to choose the start and end dates from a popup calendar. You can specified start and end times in the same popup screen.
Neither a start date nor an end date
The equivalent on the BIG-IP system is Indefinite, which specifies that the schedule starts immediately and runs indefinitely. The schedule remains active until you change the date range or delete the schedule.
Time Span Time is specified in military time format: HH:MM. You can specify time manually or click in the fields and use the Choose Time popup screen. Click the first time span field and use the sliders to specify a start time in the popup screen.

Click the second time span field and use the sliders to specify an end time in the popup screen.

If you leave these fields blank, the schedule runs all day, which is the default on the BIG-IQ Security system and on BIG-IP devices. (This option is explicitly called All Day on BIG-IP devices.)
Day Select check boxes for all days that apply. You must select at least one day per week.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information