security firewall policy
security firewall policy(1) BIG-IP TMSH Manual security firewall policy(1)
NAME
policy - Configures firewall policy.
MODULE
security firewall
SYNTAX
Modify the policy component within the security firewall module using the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
options:
copy-from [string]
modify policy [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
action [accept | accept-decisively | drop | reject]
description [string]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
zones [add | delete | replace-all-with] {
[ zone names]
}
zones none
}
icmp [add | delete | modify | replace-all-with] {
[ [icmp_type] | icmp_type:icmp_code ] {
description [string]
}
}
icmp none
ip-protocol [protocol name]
irule [irule name]
irule-sample-rate [integer]
log [no | yes]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
rule-list [rule list name]
schedule [schedule name]
uuid [ | none | auto-generate]
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
identity {
user-groups [add | delete | modify | none | replace-all-with] {
[user group names...]
}
user-lists [add | delete | modify | none | replace-all-with] {
[user list names...]
}
users [add | delete | modify | none | replace-all-with] {
[user names...]
}
}
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
zones [add | delete | replace-all-with] {
[ zone names]
}
zones none
}
status [disabled | enabled | scheduled]
service-policy [service policy name]
virtual-server [virtual server name]
ips-profile [IPS profile name]
classification-policy [classification policy name]
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable set of network firewall rules which can be
associated as enforced or staged with a number of configuration objects of the following types: net self, ltm virtual,
security firewall global-rules, net route-domain.
EXAMPLES
modify policy rules add {
reject-internal-net {
place-before first
action reject
source {
addresses replace-all-with { 172.27.0.0/16 }
} }
Creates a rule entry at the beginning of the list that rejects traffic from the 172.27.0.0 network.
modify policy rules delete reject-internal-net
Removes the rule reject-internal-net from the list of rules.
create security firewall policy p1 rules add { r1 { source { geo add { US } } action reject place-after first } } Creates a
policy with a single rule that rejects all packets from the US.
create security firewall policy xyz rules add { r1 { destination { fqdns add { f5.com } } action accept place-after first }
} Creates a policy named 'xyz' with a single rule (named 'r1') that accepts all packets with destination IP address in
domain 'f5.com'.
list policy
Displays the current list of policy rules.
create policy "New Policy" copy-from "/Common/Existing Policy"
Creates a new policy New Policy by copying existing policy /Common/Existing Policy.
OPTIONS
description
User defined description.
copy-from
(CREATE)Specifies the name of an existing policy from which to copy all configuration options.
rules
Adds, deletes, or replaces a firewall rule.
action
Specifies the action that the system takes when a rule is matched.
accept
Specifies that the current packet should be accepted.
accept-decisively
Specifies that the current packet should be accepted and that packet will not be compared to any other
firewall rules in any other context.
drop Specifies that the current packet should be silently dropped. Nothing is sent back to the packet source. The
packet is not compared to any other firewall rules.
reject
Specifies that the current packet should be dropped. For TCP based protocols a TCP reset is sent to the
source. For other protocols reject is equivalent to drop.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet will be
compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to compare against packet's destination IP address domain.
geo Specifies a list of Geo Locations that the packet will be compared against.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
zones
Specifies a list of zones, (see security firewall zone) against which the packet will be compared.
icmp Specifies a list of ICMP types and codes against which the packet will be compared. The standard integer
identifiers are used to specify an ICMP type Example: 3 is destination unreachable and 3:1 is destination
unreachable with a code of host unreachable. The list of ICMP types and codes can be found here
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
ip-protocol
Specifies the IP protocol against which the packet will be compared.
irule
Specifies the name of the iRule that will be triggered when a packet matches this firewall rule. The firewall
rule match raises a FLOW_INIT iRule event.
irule-sample-rate
Specifies the rate at which an iRule specified by irule option will be triggered when a packet matches this
firewall rule. The rate is an integer value in the range 0-65535 and specifies how many packets must match this
firewall rule before the iRule is triggered. The default value is 1 and causes the iRule to be triggered for
every packet that matches this firewall rule. A value of 0 disables iRule triggering.
log Specifies whether the packet will be logged if it matches the rule. Logging must also be enabled in the
corresponding logging configuration. (e.g. security log profile global-network when policy assigned to global-
rules). Note that the statistics counter is always incremented when a packet matches a rule.
place-after
Specifies that a new rule should be placed after another rule, first or last. If individual rules are being added
(as opposed to specifying replace-all-with) then place-before or place-after must be specified.
place-before
Specifies that a new rule should be placed before another rule, first or last. If individual rules are being
added (as opposed to specifying replace-all-with) then place-before or place-after must be specified.
rule-list
Specifies a list of rules to evaluate. See security firewall rule-list. If a rule-list is specified then only the
schedule and status properties effect the rule.
schedule
Specifies a schedule for the rule. See security firewall schedule. If the rule refers to a rule-list the rule-
list will be enabled according to the schedule. When the rule list is enabled, the schedules defined within the
rule-list will be honored.
source
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet will be
compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to compare against packet's source IP address domain.
geo Specifies a list of Geo Locations against which the packet will be compared.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels against which the packet will be compared.
zones
Specifies a list of zones, (see security firewall zone) against which the packet will be compared.
status
Specifies whether the rule is enabled, disabled or scheduled. A rule that is enabled is always checked. A rule
that is disabled is never checked. A rule that is scheduled is checked according to the corresponding schedule
configuration. A rule that is scheduled must have an associated schedule configuration.
service-policy
Specifies the service policy configuration to use. (see "net service-policy"). The service policy can be used to
set specific policy based configurations like flow timers, which applies to the flows that matches the rule.
uuid Specifies how this rule UUID is assigned: assign a explict uuid based on RFC-4122, empty UUID (none value), or an
auto-generated uuid by system (auto-generated value) based on system wide mode:[uuid-default-autogenerate mode]
when creating a rule.
virtual-server
Specifies the virtual server name that will be used for further traffic processing. Option is valid only for
global and/or route domain contexts.
SEE ALSO
create, edit, list, modify, security firewall address-list, security firewall port-list, security firewall rule-list,
security log profile, security firewall schedule, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights reserved.
BIG-IP 2018-09-17 security firewall policy(1)