security firewall port-misuse-policyΒΆ

security firewall port-misuse-policy(1) 		BIG-IP TMSH Manual		   security firewall port-misuse-policy(1)

NAME
       port-misuse-policy - Configures the port misuse policies.

MODULE
       security firewall

SYNTAX
       Configure the port misuse policy component within the security firewall module using the syntax shown in the following
       sections.

   CREATE/MODIFY
	create port-misuse-policy [name]
	modify port-misuse-policy [name]
	  options:
	    app-service [[string] | none]
	    description [string]
	    drop-on-l7-mismatch [no | yes]
	    log-on-l7-mismatch [no | yes]
	    rules [add | delete | modify | replace-all-with] {
	      [ [rule name] ] {
		options:
		  description [string]
		  drop-on-l7-mismatch [no | yes | use-policy-setting]
		  ip-protocol [sctp | tcp | udp]
		  l7-protocol [protocol name]
		  log-on-l7-mismatch [no | yes | use-policy-setting]
		  port [port]
	      }
	    }
	    rules none

	edit port-misuse-policy [[name] | all]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list port-misuse-policy
	show running-config port-misuse-policy
	  options:
	    all-properties
	    non-default-properties
	    one-line

   DELETE
	delete port-misuse-policy [[name] | all]

DESCRIPTION
       You can use the port-misuse-policy component to configure a shareable and reusable set of network port misuse policies
       which can be associated with a service policy objects. A port misuse policy has one or more rules that match connections by
       IP transport layer (L4) protocol and port number. Each rule must have a unique L4 protocol and port combination within the
       policy. When connection matches a policy rule (i.e. L4 protocol/port pair) the first data packet of the connection is
       tested to conform to application (L7) protocol specified in the rule. If data conforms to the L7 protocol (or test is
       inconclusive) the policy stops. The connection is allowed to proceed normally and data is processed as if no policy is in
       use. If data definitely does not conform to the specified L7 protocol the connection is treated according to configuration
       of the matched rule or the policy if rule uses policy defaults. In this case the rule or policy can drop the connection or
       allow it to proceed, and can also log an event about L7 protocol mismatch.

       Port misuse policy (via service policy) can be associated with objects of the following types: ltm virtual, net route-
       domain, global. Several port misuse policies can be associated with objects of each type. In addition to service policy
       specified in the object itself, service policies could be associated with ACL rules of the security firewall policy, if it
       is associated with the object. When more than one policy is associated with the object the most specific port misuse rule
       is used. For example, if connection matches an ACL rule which has a service policy with port misuse policy also having a
       rule matching the connection, that port misuse rule is applied. Otherwise the port misuse rule associated via virtual's
       service policy is applied, if such rule exists and matches the connection. See also net service-policy.

       Port misuse policies could be specified for both virtual server and route domain objects associated with the connection. In
       this case all policies are applied. If a policy has a matching rule that drops the connection, and connection fails to pass
       L7 protocol test, the connection is terminated and remaining policies are not applied.

EXAMPLES
       create security firewall port-misuse-policy web-ports-policy drop-on-l7-mismatch no log-on-l7-mismatch yes rules add { p80
       { ip-protocol tcp port 80 l7-protocol http drop-on-l7-mismatch yes } p8080 { ip-protocol tcp port 8080 l7-protocol http } }

	list security firewall port-misuse-policy web-ports-policy
	security firewall port-misuse-policy web-ports-policy {
	    drop-on-l7-mismatch no
	    log-on-l7-mismatch yes
	    rules {
		p80 {
		    drop-on-l7-mismatch yes
		    l7-protocol http
		    port http
		}
		p8080 {
		    l7-protocol http
		    port webcache
		}
	    }
	}

       Creates port misuse policy with rules for tcp ports 80 and 8080 that test if first data packet looks like HTTP. The rule
       p80 tests all connections that have destination port TCP 80 and drops them if the first data packet does not look like
       HTTP. The rule p8080 tests all connections that have destination port TCP 8080 and logs an event if the first data packet
       does not look like HTTP (because of policy defaults).

       modify security firewall port-misuse-policy web-ports-policy { rules add { p8888 { port 8888 drop-on-l7-mismatch yes }}}

       Adds a new rule p8888 to port misuse policy web-ports-policy that tests all connections to TCP port 8888 and drops them and
       logs an event when the first data packet does not look like HTTP.

       list security firewall port-misuse-policy

       Displays the current port misuse policy configuration list.

OPTIONS
       description
	    User defined description.

       drop-on-l7-mismatch
	    Indicates if the connection should be dropped when there is a matching rule in the policy that has drop-on-l7-mismatch
	    set to use-policy-setting and connection that matches that rule fails L7 protocol test. The default is yes.

       log-on-l7-mismatch
	    Indicates if a port misuse event should be logged when there is a matching rule in the policy that has
	    log-on-l7-mismatch set to use-policy-setting and connection that matches that rule fails L7 protocol test. The default
	    is no.

       rules
	    Adds, deletes, or replaces a named port misuse policy rule.

	    description
		 User defined description.

	    drop-on-l7-mismatch
		 Indicates if the connection should be dropped when it matches this rule but fails L7 protocol test. Allowed
		 values are yes, no, and use-policy-setting. The default is use-policy-setting.

	    ip-protocol
		 Specifies the transport layer (L4) IP protocol for matching the connection. The valid protocols are sctp, tcp,
		 and udp. A port and L4 protocol combination must be unique for the policy. The default is tcp.

	    l7-protocol
		 Specifies the application layer (L7) protocol for the rule. When the connection matches the rule the first data
		 packet is tested to conform to this protocol. If the test is negative the rule can drop the connection and/or log
		 a port misuse event depending on other options. If the test is positive or inconclusive (not enough data) the
		 connection is handled as if there was no port misuse policy associated with the given object (virtual server or
		 route domain), and policies at other objects are applied. Press the  key for a full list of valid protocols.
		 The default protocol is http.

	    log-on-l7-mismatch
		 Indicates if a port misuse event should be logged when the connection matches this rule but fails L7 protocol
		 test. Allowed values are yes, no, and use-policy-setting. The default is use-policy-setting.

	    port Specifies the destination port number for matching the connection. The valid values are 1-65535. A port and L4
		 protocol combination must be unique for the policy.

SEE ALSO
       create, edit, list, modify, security firewall rule-list, security firewall policy, net service-policy, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
       photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
       use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2013-2015. All rights reserved.

BIG-IP							    2015-07-14			   security firewall port-misuse-policy(1)