Security::FirewallGlobalRuleList

Introduced : BIG-IP_v11.3.0
The FirewallGlobalRuleList interface enables you to add rules to the global firewall rule list and modify the rules. You can use this interface to configure network firewall rules that are applied to all traffic except the management interface. IP and ICMP packets are compared to the criteria specified in the rules. If a packet matches the criteria then the system will take the action specified by the rule. If a packet does not match a rule then the packet will be compared against the next rule. If a packet does not match a global rule, depending on the packet content, the packet will either be accepted or passed to the next set of rules (example: the packet will be compared to Networking self IP rules if the packet is destined for a network associated with a self IP that has firewall rules defined). Rules are evaluated in the order in which they are specified. You can also set enforced and/or staged firewall policy with the FirewallGlobalRuleList interface. The enforced policy&aposs rules are enforced as if the same rules were defined as inline rules under FirewallGlobalRuleList interface. The staged policy&aposs rules provide the visibility only of what would happen if they were enforced while they are actually not enforced. Note that the source and destination addresses in the firewall methods (get_fw_rule and so on) are type Common::NetAddress, a type which allows one to specify a prefix length after the address, e.g., “10.1.1.0/24”.

Methods

Method Description Introduced
add_fw_rule Adds firewall rules to the global firewall rule list. Note that the abilities to add more than one rule or, especially, to add partial rules and to build them up introduce a need for best practices: (1) introduce the rule or rules initially disabled (using the states parameter) and enable them (or set them as scheduled) as a whole when you have them complete or (2) use transactions (see System::Session::start_transaction) to avoid accidentally putting partial rules or incomplete rule sets into place. BIG-IP_v11.3.0
add_fw_rule_destination_address This method has been deprecated. Please use add_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) destination addresses to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_destination_address_list Adds destination address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. BIG-IP_v11.3.0
add_fw_rule_destination_address_range Adds a list of (inlined) destination address ranges for the specified firewall rules. BIG-IP_v11.5.0
add_fw_rule_destination_geo Adds (inlined) destination geo locations to the specified firewall rules. BIG-IP_v11.5.0
add_fw_rule_destination_port Adds (inlined) destination ports to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_destination_port_list Adds destination port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. BIG-IP_v11.3.0
add_fw_rule_icmp_typecode Adds (inlined) ICMP type/code values to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_source_address This method has been deprecated. Please use add_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) source addresses to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_source_address_list Adds source address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. BIG-IP_v11.3.0
add_fw_rule_source_address_range Adds a list of (inlined) source address ranges for the specified firewall rules. BIG-IP_v11.5.0
add_fw_rule_source_geo Adds (inlined) source geo locations to the specified firewall rules. BIG-IP_v11.5.0
add_fw_rule_source_port Adds (inlined) source ports to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_source_port_list Adds source port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. BIG-IP_v11.3.0
add_fw_rule_source_vlan Adds source VLANs to the specified firewall rules. BIG-IP_v11.3.0
add_fw_rule_with_rule_list Adds firewall rules to the global firewall rule list, having each of those point to a rule list. This method is intended as a convenience to prevent you from having to add firewall rules as a transaction. See the Security::FirewallRuleList interface for more information on rule lists. BIG-IP_v11.3.0
get_all_fw_rule_statistics Gets the statistics for all firewall rules. BIG-IP_v11.4.0
get_description Gets the descriptions for the global firewall rule list. BIG-IP_v11.3.0
get_enforced_firewall_policy Gets the globally enforced firewall policy. BIG-IP_v11.4.0
get_fw_rule Gets the firewall rules for the global firewall rule list. BIG-IP_v11.3.0
get_fw_rule_action Gets the action for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_description Gets the descriptions for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_destination_address This method has been deprecated. Please use get_fw_rule_destination_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) destination addresses for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_destination_address_description This method has been deprecated. Please use get_fw_rule_destination_address_range_description instead. Gets the descriptions for the specified firewall rules&apos destination addresses. BIG-IP_v11.3.0
get_fw_rule_destination_address_list Gets destination address lists for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_destination_address_range Gets (inlined) destination address ranges for the specified firewall rules. BIG-IP_v11.5.0
get_fw_rule_destination_address_range_description Gets the descriptions for the specified firewall rule destination address ranges. BIG-IP_v11.5.0
get_fw_rule_destination_geo Gets (inlined) destination geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. BIG-IP_v11.5.0
get_fw_rule_destination_geo_description Gets the descriptions for the specified firewall rules&apos destination geo locations. BIG-IP_v11.5.0
get_fw_rule_destination_port Gets (inlined) destination ports for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_destination_port_description Gets the descriptions for the specified firewall rules&apos (inlined) destination ports. BIG-IP_v11.3.0
get_fw_rule_destination_port_list Gets destination port lists for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_icmp_typecode Gets (inlined) ICMP type/code values for the specified firewall rules. A value of 255 for either ICMP type or code is a wildcard value. BIG-IP_v11.3.0
get_fw_rule_icmp_typecode_description Gets the descriptions for the specified firewall rules&apos (inlined) ICMP type/code values. BIG-IP_v11.3.0
get_fw_rule_irule Gets the iRules for the specified firewall rules. BIG-IP_v11.5.0
get_fw_rule_log_state Gets the logging property for the specified firewall rules. BIG-IP_v11.4.0
get_fw_rule_order Gets the order (numerically) for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_protocol Gets the (IP) protocol for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_protocol_numeric Gets the IP protocol (numerically) for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_rule_list Gets the rule list for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_source_address This method has been deprecated. Please use get_fw_rule_source_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) source addresses for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_source_address_description This method has been deprecated. Please use get_fw_rule_source_address_range_description instead. Gets the descriptions for the specified firewall rules&apos source addresses. BIG-IP_v11.3.0
get_fw_rule_source_address_list Gets source address lists for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_source_address_range Gets (inlined) source address ranges for the specified firewall rules. BIG-IP_v11.5.0
get_fw_rule_source_address_range_description Gets the descriptions for the specified firewall rule source address ranges. BIG-IP_v11.5.0
get_fw_rule_source_geo Gets (inlined) source geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. BIG-IP_v11.5.0
get_fw_rule_source_geo_description Gets the descriptions for the specified firewall rules&apos source geo locations. BIG-IP_v11.5.0
get_fw_rule_source_port Gets (inlined) source ports for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_source_port_description Gets the descriptions for the specified firewall rules&apos (inlined) source ports. BIG-IP_v11.3.0
get_fw_rule_source_port_list Gets source port lists for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_source_vlan Gets source VLANs for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_state Gets the state for the specified firewall rules. BIG-IP_v11.3.0
get_fw_rule_statistics Gets the statistics for the specified firewall rules. BIG-IP_v11.4.0
get_fw_rule_weekly_schedule Gets a weekly schedule for the specified firewall rules. BIG-IP_v11.3.0
get_staged_firewall_policy Gets the globally staged firewall policy. BIG-IP_v11.4.0
get_version Gets the version information for this interface. BIG-IP_v11.3.0
remove_all_fw_rule_destination_address_lists Removes all destination address lists from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_destination_address_ranges Removes all (inlined) destination address ranges from the specified firewall rules. BIG-IP_v11.5.0
remove_all_fw_rule_destination_addresses This method has been deprecated. Please use remove_all_fw_rule_destination_address_ranges instead. Removes all (inlined) destination addresses from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_destination_geos Removes all (inlined) destination geo locations from the specified firewall rules. BIG-IP_v11.5.0
remove_all_fw_rule_destination_port_lists Removes all destination port lists from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_destination_ports Removes all (inlined) destination ports from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_icmp_typecodes Removes all (inlined) ICMP type/code values from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_source_address_lists Removes all source address lists from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_source_address_ranges Removes all (inlined) source address ranges from the specified firewall rules. BIG-IP_v11.5.0
remove_all_fw_rule_source_addresses This method has been deprecated. Please use remove_all_fw_rule_source_address_ranges instead. Removes all (inlined) source addresses from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_source_geos Removes all (inlined) source geo locations from the specified firewall rules. BIG-IP_v11.5.0
remove_all_fw_rule_source_port_lists Removes all source port lists from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_source_ports Removes all (inlined) source ports from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rule_source_vlans Removes all source VLANs from the specified firewall rules. BIG-IP_v11.3.0
remove_all_fw_rules Removes all firewall rules from the global firewall rule list. BIG-IP_v11.3.0
remove_fw_rule Removes firewall rules from the global firewall rule list. BIG-IP_v11.3.0
remove_fw_rule_destination_address This method has been deprecated. Please use remove_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) destination addresses from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_destination_address_list Removes destination address lists from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_destination_address_range Removes a list of (inlined) destination address ranges from the specified firewall rules. BIG-IP_v11.5.0
remove_fw_rule_destination_geo Removes (inlined) destination geo locations from the specified firewall rules. BIG-IP_v11.5.0
remove_fw_rule_destination_port Removes (inlined) destination ports from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_destination_port_list Removes destination port lists from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_icmp_typecode Removes (inlined) ICMP type/code values from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_source_address This method has been deprecated. Please use remove_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) source addresses from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_source_address_list Removes source address lists from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_source_address_range Removes a list of (inlined) source address ranges from the specified firewall rules. BIG-IP_v11.5.0
remove_fw_rule_source_geo Removes (inlined) source geo locations from the specified firewall rules. BIG-IP_v11.5.0
remove_fw_rule_source_port Removes (inlined) source ports from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_source_port_list Removes source port lists from the specified firewall rules. BIG-IP_v11.3.0
remove_fw_rule_source_vlan Removes source VLANs from the specified firewall rules. BIG-IP_v11.3.0
reset_fw_rule_statistics Resets the statistics for the specified firewall rules. BIG-IP_v11.4.0
set_description Sets the description for the global firewall rule list. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_enforced_firewall_policy Sets the globally enforced firewall policy. The policy to be enforced globally. The enforced policy&aposs rules are enforced as if the same rules were defined as inline rules. The empty string means no enforced policy. The enforced firewall policy is mutually exclusive with inline rules. BIG-IP_v11.4.0
set_fw_rule_action Sets the action for the specified firewall rules. BIG-IP_v11.3.0
set_fw_rule_description Sets the description for the specified firewall rules. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_destination_address_description This method has been deprecated. Please use set_fw_rule_destination_address_range_description instead. Sets the description for the specified firewall rules&apos destination addresses. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_destination_address_range_description Sets the descriptions for the specified firewall rule destination address ranges. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.5.0
set_fw_rule_destination_geo_description Sets the description for the specified firewall rules&apos destination geo locations. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.5.0
set_fw_rule_destination_port_description Sets the description for the specified firewall rules&apos (inlined) destination ports. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_icmp_typecode_description Sets the description for the specified firewall rules&apos (inlined) ICMP type/code values. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_irule Sets the iRules for the specified firewall rules. Specify the iRule as an action when the traffic matches the filter criteria. BIG-IP_v11.5.0
set_fw_rule_log_state Sets the logging property for the specified firewall rules. Specifies whether the security software should write a log entry for all packets that match this rule. You must also enable network filter logging in the “security log profile” component for this option to have any effect. Note that the security software always increments the statistics counter when a packet matches a rule, no matter how you set this option. BIG-IP_v11.4.0
set_fw_rule_order Sets the order (numerically) for the specified firewall rules. Two rules can&apost have the same order, so one must manage order carefully if using numeric order to arrange firewall rules. See add_fw_rule for more information. BIG-IP_v11.3.0
set_fw_rule_protocol Sets the (IP) protocol for the specified firewall rules. Note: if the protocol is not one of the supported standard protocols, use set_fw_rule_protocol_numeric. BIG-IP_v11.3.0
set_fw_rule_protocol_numeric Sets the IP protocol (numerically) for the specified firewall rules. BIG-IP_v11.3.0
set_fw_rule_rule_list Sets the rule list for the specified firewall rules. If a list is specified then the system will validate that no other properties were specified in the current transaction, and will clear all other match criteria fields (src, dst, ip protocol, et cetera). The empty string means no rule list. BIG-IP_v11.3.0
set_fw_rule_source_address_description This method has been deprecated. Please use set_fw_rule_source_address_range_description instead. Sets the description for the specified firewall rules&apos source addresses. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_source_address_range_description Sets the descriptions for the specified firewall rule source address ranges. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.5.0
set_fw_rule_source_geo_description Sets the description for the specified firewall rules&apos source geo locations. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.5.0
set_fw_rule_source_port_description Sets the description for the specified firewall rules&apos (inlined) source ports. This is an arbitrary field which can be used for any purpose. BIG-IP_v11.3.0
set_fw_rule_state Sets the state for the specified firewall rules. You can add a rule as enabled or disabled initially, build it up, then enable it. You can temporarily disable a rule with no other effect on it, so that it can be enabled easily later without having to rebuild it. You can use the state of FW_RULE_STATE_SCHEDULED to enable scheduling for the rule. See add_fw_rule for more information. BIG-IP_v11.3.0
set_fw_rule_weekly_schedule Sets a weekly schedule for the specified firewall rules. See Security::FirewallWeeklySchedule for how to create and manipulate weekly schedules. BIG-IP_v11.3.0
set_staged_firewall_policy Sets the globally staged firewall policy. The policy to be staged globally. The staged policy&aposs rules provide the visibility only (statistics, logging events and network reports) of what would happen if the rules were enforced. They are actually not enforced. The empty string means no enforced policy. BIG-IP_v11.4.0

Structures

Structure Description

Enumerations

Enumeration Description

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description

See Also

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code


The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.