Security::FirewallPolicy¶
Introduced : BIG-IP_v11.4.0
The FirewallPolicy interface enables you to create and modify a
firewall policy which can be further assigned to firewalled objects.
You can use this interface to configure network firewall rules that
are applied to the traffic passing through corresponding network
objects to which this policy is applied. IP and ICMP packets are
compared to the criteria specified in the rules. If a packet matches
the criteria then the system will take the action specified by the
rule. If a packet does not match a rule then the packet will be
compared against the next rule. Rules are evaluated in the order in
which they are specified. A firewall policy can be assigned to a
firewalled object as enforced or staged. When the policy assigned as
enforced its rules behave the same way as if were added directly under
the firewalled object. When the policy assigned as staged, none of its
rules are enforced but the visibility aspects (statistics, logging
events and network reports) are updated as if the rules were enforced.
The latter are important for you to understand what would happen if
you started enforcing the currently staged policies. Note that the
source and destination addresses in the firewall methods (get_fw_rule
and so on) are type Common::NetAddress, a type which allows one to
specify a prefix length after the address, e.g., “10.1.1.0/24”.
Methods¶
| Method | Description | Introduced |
| add_fw_rule | Adds firewall rules to the specified firewall policies. Note that the abilities to add more than one rule or, especially, to add partial rules and to build them up introduce a need for best practices: (1) introduce the rule or rules initially disabled (using the states parameter) and enable them (or set them as scheduled) as a whole when you have them complete or (2) use transactions (see System::Session::start_transaction) to avoid accidentally putting partial rules or incomplete rule sets into place. | BIG-IP_v11.4.0 |
| add_fw_rule_destination_address | This method has been deprecated. Please use add_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) destination addresses to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_destination_address_list | Adds destination address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. | BIG-IP_v11.4.0 |
| add_fw_rule_destination_address_range | Adds a list of (inlined) destination address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
| add_fw_rule_destination_geo | Adds (inlined) destination geo locations to the specified firewall rules. | BIG-IP_v11.5.0 |
| add_fw_rule_destination_port | Adds (inlined) destination ports to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_destination_port_list | Adds destination port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. | BIG-IP_v11.4.0 |
| add_fw_rule_icmp_typecode | Adds (inlined) ICMP type/code values to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_source_address | This method has been deprecated. Please use add_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Adds (inlined) source addresses to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_source_address_list | Adds source address lists to the specified firewall rules. See the Security::FirewallAddressList interface for more information on address lists. | BIG-IP_v11.4.0 |
| add_fw_rule_source_address_range | Adds a list of (inlined) source address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
| add_fw_rule_source_geo | Adds (inlined) source geo locations to the specified firewall rules. | BIG-IP_v11.5.0 |
| add_fw_rule_source_port | Adds (inlined) source ports to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_source_port_list | Adds source port lists to the specified firewall rules. See the Security::FirewallPortList interface for more information on port lists. | BIG-IP_v11.4.0 |
| add_fw_rule_source_vlan | Adds source VLANs to the specified firewall rules. | BIG-IP_v11.4.0 |
| add_fw_rule_with_rule_list | Adds firewall rules to the specified firewall policies, having each of those rules point at a rule list. This method is intended as a convenience to prevent you from having to add firewall rules as a transaction. See the Security::FirewallRuleList interface for more information on rule lists. | BIG-IP_v11.4.0 |
| create | Creates the specified firewall policies. | BIG-IP_v11.4.0 |
| create_from_policy | Creates the specified firewall policies from the existing policies. The rules of the existing policies are replicated under the newly created policies. | BIG-IP_v11.4.0 |
| delete_all_firewall_policies | Deletes all firewall policies. | BIG-IP_v11.4.0 |
| delete_firewall_policy | Deletes the specified firewall policies. | BIG-IP_v11.4.0 |
| get_all_fw_rule_statistics | Gets the statistics for all firewall rules on the specified firewall policies. | BIG-IP_v11.4.0 |
| get_description | Gets the descriptions for a set of firewall policies. | BIG-IP_v11.4.0 |
| get_fw_rule | Gets the firewall rules for the specified firewall policies. | BIG-IP_v11.4.0 |
| get_fw_rule_action | Gets the action for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_description | Gets the descriptions for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_address | This method has been deprecated. Please use get_fw_rule_destination_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) destination addresses for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_address_description | This method has been deprecated. Please use get_fw_rule_destination_address_range_description instead. Gets the descriptions for the specified firewall rules&apos destination addresses. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_address_list | Gets destination address lists for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_address_range | Gets (inlined) destination address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
| get_fw_rule_destination_address_range_description | Gets the descriptions for the specified firewall rule destination address ranges. | BIG-IP_v11.5.0 |
| get_fw_rule_destination_geo | Gets (inlined) destination geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. | BIG-IP_v11.5.0 |
| get_fw_rule_destination_geo_description | Gets the descriptions for the specified firewall rules&apos destination geo locations. | BIG-IP_v11.5.0 |
| get_fw_rule_destination_port | Gets (inlined) destination ports for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_port_description | Gets the descriptions for the specified firewall rules&apos (inlined) destination ports. | BIG-IP_v11.4.0 |
| get_fw_rule_destination_port_list | Gets destination port lists for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_icmp_typecode | Gets (inlined) ICMP type/code values for the specified firewall rules. A value of 255 for either ICMP type or code is a wildcard value. | BIG-IP_v11.4.0 |
| get_fw_rule_icmp_typecode_description | Gets the descriptions for the specified firewall rules&apos (inlined) ICMP type/code values. | BIG-IP_v11.4.0 |
| get_fw_rule_irule | Gets the iRules for the specified firewall rules. | BIG-IP_v11.5.0 |
| get_fw_rule_log_state | Gets the logging property for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_order | Gets the order (numerically) for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_protocol | Gets the (IP) protocol for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_protocol_numeric | Gets the IP protocol (numerically) for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_rule_list | Gets the rule list for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_source_address | This method has been deprecated. Please use get_fw_rule_source_address_range instead. Firewall addresses are now supplied and stored in the form of an address range. Single addresses are converted to a corresponding one-element range where begin is equal to end; for each range, this method returns the start of the address range. Gets (inlined) source addresses for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_source_address_description | This method has been deprecated. Please use get_fw_rule_source_address_range_description instead. Gets the descriptions for the specified firewall rules&apos source addresses. | BIG-IP_v11.4.0 |
| get_fw_rule_source_address_list | Gets source address lists for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_source_address_range | Gets (inlined) source address ranges for the specified firewall rules. | BIG-IP_v11.5.0 |
| get_fw_rule_source_address_range_description | Gets the descriptions for the specified firewall rule source address ranges. | BIG-IP_v11.5.0 |
| get_fw_rule_source_geo | Gets (inlined) source geo locations for the specified firewall rules. The geo location is a combination of country code and state name. The country code is two characters long. The state name is the full name of a state that belongs to the country represented by country code. | BIG-IP_v11.5.0 |
| get_fw_rule_source_geo_description | Gets the descriptions for the specified firewall rules&apos source geo locations. | BIG-IP_v11.5.0 |
| get_fw_rule_source_port | Gets (inlined) source ports for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_source_port_description | Gets the descriptions for the specified firewall rules&apos (inlined) source ports. | BIG-IP_v11.4.0 |
| get_fw_rule_source_port_list | Gets source port lists for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_source_vlan | Gets source VLANs for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_state | Gets the state for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_statistics | Gets the statistics for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_fw_rule_weekly_schedule | Gets a weekly schedule for the specified firewall rules. | BIG-IP_v11.4.0 |
| get_list | Gets a list of all firewall policies configured in the system. | BIG-IP_v11.4.0 |
| get_version | Gets the version information for this interface. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_destination_address_lists | Removes all destination address lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_destination_address_ranges | Removes all (inlined) destination address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_all_fw_rule_destination_addresses | This method has been deprecated. Please use remove_all_fw_rule_destination_address_ranges instead. Removes all (inlined) destination addresses from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_destination_geos | Removes all (inlined) destination geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_all_fw_rule_destination_port_lists | Removes all destination port lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_destination_ports | Removes all (inlined) destination ports from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_icmp_typecodes | Removes all (inlined) ICMP type/code values from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_source_address_lists | Removes all source address lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_source_address_ranges | Removes all (inlined) source address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_all_fw_rule_source_addresses | This method has been deprecated. Please use remove_all_fw_rule_source_address_ranges instead. Removes all (inlined) source addresses from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_source_geos | Removes all (inlined) source geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_all_fw_rule_source_port_lists | Removes all source port lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_source_ports | Removes all (inlined) source ports from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rule_source_vlans | Removes all source VLANs from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_all_fw_rules | Removes all firewall rules from the specified firewall policies. | BIG-IP_v11.4.0 |
| remove_fw_rule | Removes firewall rules from the specified firewall policies. | BIG-IP_v11.4.0 |
| remove_fw_rule_destination_address | This method has been deprecated. Please use remove_fw_rule_destination_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) destination addresses from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_destination_address_list | Removes destination address lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_destination_address_range | Removes a list of (inlined) destination address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_fw_rule_destination_geo | Removes (inlined) destination geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_fw_rule_destination_port | Removes (inlined) destination ports from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_destination_port_list | Removes destination port lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_icmp_typecode | Removes (inlined) ICMP type/code values from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_source_address | This method has been deprecated. Please use remove_fw_rule_source_address_range instead. When using this method, the system will create a corresponding one-element address range where begin is equal to end. Removes (inlined) source addresses from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_source_address_list | Removes source address lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_source_address_range | Removes a list of (inlined) source address ranges from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_fw_rule_source_geo | Removes (inlined) source geo locations from the specified firewall rules. | BIG-IP_v11.5.0 |
| remove_fw_rule_source_port | Removes (inlined) source ports from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_source_port_list | Removes source port lists from the specified firewall rules. | BIG-IP_v11.4.0 |
| remove_fw_rule_source_vlan | Removes source VLANs from the specified firewall rules. | BIG-IP_v11.4.0 |
| reset_fw_rule_statistics | Resets the statistics for the specified firewall rules. | BIG-IP_v11.4.0 |
| set_description | Sets the description for a set of firewall policies. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_action | Sets the action for the specified firewall rules. | BIG-IP_v11.4.0 |
| set_fw_rule_description | Sets the description for the specified firewall rules. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_destination_address_description | This method has been deprecated. Please use set_fw_rule_destination_address_range_description instead. Sets the description for the specified firewall rules&apos destination addresses. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_destination_address_range_description | Sets the descriptions for the specified firewall rule destination address ranges. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
| set_fw_rule_destination_geo_description | Sets the description for the specified firewall rules&apos destination geo locations. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
| set_fw_rule_destination_port_description | Sets the description for the specified firewall rules&apos (inlined) destination ports. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_icmp_typecode_description | Sets the description for the specified firewall rules&apos (inlined) ICMP type/code values. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_irule | Sets the iRules for the specified firewall rules. Specify the iRule as an action when the traffic matches the filter criteria. | BIG-IP_v11.5.0 |
| set_fw_rule_log_state | Sets the logging property for the specified firewall rules. Specifies whether the security software should write a log entry for all packets that match this rule. You must also enable network filter logging in the “security log profile” component for this option to have any effect. Note that the security software always increments the statistics counter when a packet matches a rule, no matter how you set this option. | BIG-IP_v11.4.0 |
| set_fw_rule_order | Sets the order (numerically) for the specified firewall rules. Two rules can&apost have the same order, so one must manage order carefully if using numeric order to arrange firewall rules. See add_fw_rule for more information. | BIG-IP_v11.4.0 |
| set_fw_rule_protocol | Sets the (IP) protocol for the specified firewall rules. Note: if the protocol is not one of the supported standard protocols, use set_fw_rule_protocol_numeric. | BIG-IP_v11.4.0 |
| set_fw_rule_protocol_numeric | Sets the IP protocol (numerically) for the specified firewall rules. | BIG-IP_v11.4.0 |
| set_fw_rule_rule_list | Sets the rule list for the specified firewall rules. If a list is specified then the system will validate that no other properties were specified in the current transaction, and will clear all other match criteria fields (src, dst, ip protocol, et cetera). The empty string means no rule list. | BIG-IP_v11.4.0 |
| set_fw_rule_source_address_description | This method has been deprecated. Please use set_fw_rule_source_address_range_description instead. Sets the description for the specified firewall rules&apos source addresses. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_source_address_range_description | Sets the descriptions for the specified firewall rule source address ranges. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
| set_fw_rule_source_geo_description | Sets the description for the specified firewall rules&apos source geo locations. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.5.0 |
| set_fw_rule_source_port_description | Sets the description for the specified firewall rules&apos (inlined) source ports. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.4.0 |
| set_fw_rule_state | Sets the state for the specified firewall rules. You can add a rule as enabled or disabled initially, build it up, then enable it. You can temporarily disable a rule with no other effect on it, so that it can be enabled easily later without having to rebuild it. You can use the state of FW_RULE_STATE_SCHEDULED to enable scheduling for the rule. See add_fw_rule for more information. | BIG-IP_v11.4.0 |
| set_fw_rule_weekly_schedule | Sets a weekly schedule for the specified firewall rules. See Security::FirewallWeeklySchedule for how to create and manipulate weekly schedules. | BIG-IP_v11.4.0 |
Structures¶
Structure
Description
FirewallPolicyRuleStatisticEntry
A struct that describes a firewall policy rule and its statistics.
A struct that describes firewall policy rule statistics and timestamp.
Aliases¶
| Alias | Type | Description |
| FirewallPolicyRuleStatisticEntrySequence | FirewallPolicyRuleStatisticEntry [] | A sequence of firewall policy rule statistics. |
| FirewallPolicyRuleStatisticEntrySequenceSequence | FirewallPolicyRuleStatisticEntry [] [] | A sequence of sequence of firewall policy rule statistics. |
| FirewallPolicyRuleStatisticsSequence | FirewallPolicyRuleStatistics [] | A sequence of firewall rule statistics and timestamp. |
See Also¶
iControl ::
Warning
The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.
Sample Code¶
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.