Security::FirewallGlobalRuleList¶
Introduced : BIG-IP_v11.3.0
The FirewallGlobalRuleList interface enables you to add rules to the
global firewall rule list and modify the rules. You can use this
interface to configure network firewall rules that are applied to all
traffic except the management interface. IP and ICMP packets are
compared to the criteria specified in the rules. If a packet matches
the criteria then the system will take the action specified by the
rule. If a packet does not match a rule then the packet will be
compared against the next rule. If a packet does not match a global
rule, depending on the packet content, the packet will either be
accepted or passed to the next set of rules (example: the packet will
be compared to Networking self IP rules if the packet is destined for
a network associated with a self IP that has firewall rules defined).
Rules are evaluated in the order in which they are specified. You can
also set enforced and/or staged firewall policy with the
FirewallGlobalRuleList interface. The enforced policy&aposs rules are
enforced as if the same rules were defined as inline rules under
FirewallGlobalRuleList interface. The staged policy&aposs rules
provide the visibility only of what would happen if they were enforced
while they are actually not enforced. Note that the source and
destination addresses in the firewall methods (get_fw_rule and so on)
are type Common::NetAddress, a type which allows one to specify a
prefix length after the address, e.g., “10.1.1.0/24”.
Methods¶
Method | Description | Introduced |
add_fw_rule | Adds firewall rules to the global firewall rule list. Note that the abilities to add more than one rule or, especially, to add partial rules and to build them up introduce a need for best practices: (1) introduce the rule or rules initially disabled (using the states parameter) and enable them (or set them as scheduled) as a whole when you have them complete or (2) use transactions (see System::Session::start_transaction) to avoid accidentally putting partial rules or incomplete rule sets into place. | BIG-IP_v11.3.0 |
add_fw_rule_destination_address | This method has been deprecated. Please use add_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) destination addresses to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_destination_address_list | Adds destination address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. | BIG-IP_v11.3.0 |
add_fw_rule_destination_address_range | Adds a list of (inlined) destination address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
add_fw_rule_destination_geo | Adds (inlined) destination geo locations to the specified firewall rules. | BIG-IP_v11.5.0 |
add_fw_rule_destination_port | Adds (inlined) destination ports to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_destination_port_list | Adds destination port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. | BIG-IP_v11.3.0 |
add_fw_rule_icmp_typecode | Adds (inlined) ICMP type/code values to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_source_address | This method has been deprecated. Please use add_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) source addresses to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_source_address_list | Adds source address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. | BIG-IP_v11.3.0 |
add_fw_rule_source_address_range | Adds a list of (inlined) source address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
add_fw_rule_source_geo | Adds (inlined) source geo locations to the specified firewall rules. | BIG-IP_v11.5.0 |
add_fw_rule_source_port | Adds (inlined) source ports to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_source_port_list | Adds source port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. | BIG-IP_v11.3.0 |
add_fw_rule_source_vlan | Adds source VLANs to the specified firewall rules. | BIG-IP_v11.3.0 |
add_fw_rule_with_rule_list | Adds firewall rules to the global firewall rule list, having each of those point to a rule list. This method is intended as a convenience to prevent you from having to add firewall rules as a transaction. See the Security::FirewallRuleList interface for more information on rule lists. | BIG-IP_v11.3.0 |
get_all_fw_rule_statistics | Gets the statistics for all firewall rules. | BIG-IP_v11.4.0 |
get_description | Gets the descriptions for the global firewall rule list. | BIG-IP_v11.3.0 |
get_enforced_firewall_policy | Gets the globally enforced firewall policy. | BIG-IP_v11.4.0 |
get_fw_rule | Gets the firewall rules for the global firewall rule list. | BIG-IP_v11.3.0 |
get_fw_rule_action | Gets the action for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_description | Gets the descriptions for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_destination_address | This method has been deprecated. Please use get_fw_rule_destination_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) destination addresses for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_destination_address_description | This method has been deprecated. Please use get_fw_rule_destination_address_range_description instead. Gets the descriptions for the specified firewall rules&apos destination addresses. | BIG-IP_v11.3.0 |
get_fw_rule_destination_address_list | Gets destination address lists for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_destination_address_range | Gets (inlined) destination address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
get_fw_rule_destination_address_range_description | Gets the descriptions for the specified firewall rule destination address ranges. | BIG-IP_v11.5.0 |
get_fw_rule_destination_geo | Gets (inlined) destination geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. | BIG-IP_v11.5.0 |
get_fw_rule_destination_geo_description | Gets the descriptions for the specified firewall rules&apos destination geo locations. | BIG-IP_v11.5.0 |
get_fw_rule_destination_port | Gets (inlined) destination ports for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_destination_port_description | Gets the descriptions for the specified firewall rules&apos (inlined) destination ports. | BIG-IP_v11.3.0 |
get_fw_rule_destination_port_list | Gets destination port lists for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_icmp_typecode | Gets (inlined) ICMP type/code values for the specified firewall rules. A value of 255 for either ICMP type or code is a wildcard value. | BIG-IP_v11.3.0 |
get_fw_rule_icmp_typecode_description | Gets the descriptions for the specified firewall rules&apos (inlined) ICMP type/code values. | BIG-IP_v11.3.0 |
get_fw_rule_irule | Gets the iRules for the specified firewall rules. | BIG-IP_v11.5.0 |
get_fw_rule_log_state | Gets the logging property for the specified firewall rules. | BIG-IP_v11.4.0 |
get_fw_rule_order | Gets the order (numerically) for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_protocol | Gets the (IP) protocol for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_protocol_numeric | Gets the IP protocol (numerically) for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_rule_list | Gets the rule list for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_source_address | This method has been deprecated. Please use get_fw_rule_source_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) source addresses for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_source_address_description | This method has been deprecated. Please use get_fw_rule_source_address_range_description instead. Gets the descriptions for the specified firewall rules&apos source addresses. | BIG-IP_v11.3.0 |
get_fw_rule_source_address_list | Gets source address lists for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_source_address_range | Gets (inlined) source address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
get_fw_rule_source_address_range_description | Gets the descriptions for the specified firewall rule source address ranges. | BIG-IP_v11.5.0 |
get_fw_rule_source_geo | Gets (inlined) source geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. | BIG-IP_v11.5.0 |
get_fw_rule_source_geo_description | Gets the descriptions for the specified firewall rules&apos source geo locations. | BIG-IP_v11.5.0 |
get_fw_rule_source_port | Gets (inlined) source ports for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_source_port_description | Gets the descriptions for the specified firewall rules&apos (inlined) source ports. | BIG-IP_v11.3.0 |
get_fw_rule_source_port_list | Gets source port lists for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_source_vlan | Gets source VLANs for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_state | Gets the state for the specified firewall rules. | BIG-IP_v11.3.0 |
get_fw_rule_statistics | Gets the statistics for the specified firewall rules. | BIG-IP_v11.4.0 |
get_fw_rule_weekly_schedule | Gets a weekly schedule for the specified firewall rules. | BIG-IP_v11.3.0 |
get_staged_firewall_policy | Gets the globally staged firewall policy. | BIG-IP_v11.4.0 |
get_version | Gets the version information for this interface. | BIG-IP_v11.3.0 |
remove_all_fw_rule_destination_address_lists | Removes all destination address lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_destination_address_ranges | Removes all (inlined) destination address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_all_fw_rule_destination_addresses | This method has been deprecated. Please use remove_all_fw_rule_destination_address_ranges instead. Removes all (inlined) destination addresses from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_destination_geos | Removes all (inlined) destination geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_all_fw_rule_destination_port_lists | Removes all destination port lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_destination_ports | Removes all (inlined) destination ports from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_icmp_typecodes | Removes all (inlined) ICMP type/code values from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_source_address_lists | Removes all source address lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_source_address_ranges | Removes all (inlined) source address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_all_fw_rule_source_addresses | This method has been deprecated. Please use remove_all_fw_rule_source_address_ranges instead. Removes all (inlined) source addresses from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_source_geos | Removes all (inlined) source geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_all_fw_rule_source_port_lists | Removes all source port lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_source_ports | Removes all (inlined) source ports from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rule_source_vlans | Removes all source VLANs from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_all_fw_rules | Removes all firewall rules from the global firewall rule list. | BIG-IP_v11.3.0 |
remove_fw_rule | Removes firewall rules from the global firewall rule list. | BIG-IP_v11.3.0 |
remove_fw_rule_destination_address | This method has been deprecated. Please use remove_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) destination addresses from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_destination_address_list | Removes destination address lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_destination_address_range | Removes a list of (inlined) destination address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_fw_rule_destination_geo | Removes (inlined) destination geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_fw_rule_destination_port | Removes (inlined) destination ports from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_destination_port_list | Removes destination port lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_icmp_typecode | Removes (inlined) ICMP type/code values from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_source_address | This method has been deprecated. Please use remove_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) source addresses from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_source_address_list | Removes source address lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_source_address_range | Removes a list of (inlined) source address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_fw_rule_source_geo | Removes (inlined) source geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
remove_fw_rule_source_port | Removes (inlined) source ports from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_source_port_list | Removes source port lists from the specified firewall rules. | BIG-IP_v11.3.0 |
remove_fw_rule_source_vlan | Removes source VLANs from the specified firewall rules. | BIG-IP_v11.3.0 |
reset_fw_rule_statistics | Resets the statistics for the specified firewall rules. | BIG-IP_v11.4.0 |
set_description | Sets the description for the global firewall rule list. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_enforced_firewall_policy | Sets the globally enforced firewall policy. The policy to be enforced globally. The enforced policy&aposs rules are enforced as if the same rules were defined as inline rules. The empty string means no enforced policy. The enforced firewall policy is mutually exclusive with inline rules. | BIG-IP_v11.4.0 |
set_fw_rule_action | Sets the action for the specified firewall rules. | BIG-IP_v11.3.0 |
set_fw_rule_description | Sets the description for the specified firewall rules. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_destination_address_description | This method has been deprecated. Please use set_fw_rule_destination_address_range_description instead. Sets the description for the specified firewall rules&apos destination addresses. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_destination_address_range_description | Sets the descriptions for the specified firewall rule destination address ranges. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
set_fw_rule_destination_geo_description | Sets the description for the specified firewall rules&apos destination geo locations. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
set_fw_rule_destination_port_description | Sets the description for the specified firewall rules&apos (inlined) destination ports. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_icmp_typecode_description | Sets the description for the specified firewall rules&apos (inlined) ICMP type/code values. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_irule | Sets the iRules for the specified firewall rules. Specify the iRule as an action when the traffic matches the filter criteria. | BIG-IP_v11.5.0 |
set_fw_rule_log_state | Sets the logging property for the specified firewall rules. Specifies whether the security software should write a log entry for all packets that match this rule. You must also enable network filter logging in the “security log profile” component for this option to have any effect. Note that the security software always increments the statistics counter when a packet matches a rule, no matter how you set this option. | BIG-IP_v11.4.0 |
set_fw_rule_order | Sets the order (numerically) for the specified firewall rules. Two rules can&apost have the same order, so one must manage order carefully if using numeric order to arrange firewall rules. See add_fw_rule for more information. | BIG-IP_v11.3.0 |
set_fw_rule_protocol | Sets the (IP) protocol for the specified firewall rules. Note: if the protocol is not one of the supported standard protocols, use set_fw_rule_protocol_numeric. | BIG-IP_v11.3.0 |
set_fw_rule_protocol_numeric | Sets the IP protocol (numerically) for the specified firewall rules. | BIG-IP_v11.3.0 |
set_fw_rule_rule_list | Sets the rule list for the specified firewall rules. If a list is specified then the system will validate that no other properties were specified in the current transaction, and will clear all other match criteria fields (src, dst, ip protocol, et cetera). The empty string means no rule list. | BIG-IP_v11.3.0 |
set_fw_rule_source_address_description | This method has been deprecated. Please use set_fw_rule_source_address_range_description instead. Sets the description for the specified firewall rules&apos source addresses. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_source_address_range_description | Sets the descriptions for the specified firewall rule source address ranges. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
set_fw_rule_source_geo_description | Sets the description for the specified firewall rules&apos source geo locations. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
set_fw_rule_source_port_description | Sets the description for the specified firewall rules&apos (inlined) source ports. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.3.0 |
set_fw_rule_state | Sets the state for the specified firewall rules. You can add a rule as enabled or disabled initially, build it up, then enable it. You can temporarily disable a rule with no other effect on it, so that it can be enabled easily later without having to rebuild it. You can use the state of FW_RULE_STATE_SCHEDULED to enable scheduling for the rule. See add_fw_rule for more information. | BIG-IP_v11.3.0 |
set_fw_rule_weekly_schedule | Sets a weekly schedule for the specified firewall rules. See Security::FirewallWeeklySchedule for how to create and manipulate weekly schedules. | BIG-IP_v11.3.0 |
set_staged_firewall_policy | Sets the globally staged firewall policy. The policy to be staged globally. The staged policy&aposs rules provide the visibility only (statistics, logging events and network reports) of what would happen if the rules were enforced. They are actually not enforced. The empty string means no enforced policy. | BIG-IP_v11.4.0 |
See Also¶
iControl ::
Warning
The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.
Sample Code¶
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.