security firewall port-misuse-policy
security firewall port-misuse-policy(1) BIG-IP TMSH Manual security firewall port-misuse-policy(1)
NAME
port-misuse-policy - Configures the port misuse policies.
MODULE
security firewall
SYNTAX
Configure the port misuse policy component within the security firewall module using the syntax shown in the following
sections.
CREATE/MODIFY
create port-misuse-policy [name]
modify port-misuse-policy [name]
options:
app-service [[string] | none]
description [string]
drop-on-l7-mismatch [no | yes]
log-on-l7-mismatch [no | yes]
rules [add | delete | modify | replace-all-with] {
[ [rule name] ] {
options:
description [string]
drop-on-l7-mismatch [no | yes | use-policy-setting]
ip-protocol [sctp | tcp | udp]
l7-protocol [protocol name]
log-on-l7-mismatch [no | yes | use-policy-setting]
port [port]
}
}
rules none
edit port-misuse-policy [[name] | all]
options:
all-properties
non-default-properties
DISPLAY
list port-misuse-policy
show running-config port-misuse-policy
options:
all-properties
non-default-properties
one-line
DELETE
delete port-misuse-policy [[name] | all]
DESCRIPTION
You can use the port-misuse-policy component to configure a shareable and reusable set of network port misuse policies
which can be associated with a service policy objects. A port misuse policy has one or more rules that match connections by
IP transport layer (L4) protocol and port number. Each rule must have a unique L4 protocol and port combination within the
policy. When connection matches a policy rule (i.e. L4 protocol/port pair) the first data packet of the connection is
tested to conform to application (L7) protocol specified in the rule. If data conforms to the L7 protocol (or test is
inconclusive) the policy stops. The connection is allowed to proceed normally and data is processed as if no policy is in
use. If data definitely does not conform to the specified L7 protocol the connection is treated according to configuration
of the matched rule or the policy if rule uses policy defaults. In this case the rule or policy can drop the connection or
allow it to proceed, and can also log an event about L7 protocol mismatch.
Port misuse policy (via service policy) can be associated with objects of the following types: ltm virtual, net route-
domain, global. Several port misuse policies can be associated with objects of each type. In addition to service policy
specified in the object itself, service policies could be associated with ACL rules of the security firewall policy, if it
is associated with the object. When more than one policy is associated with the object the most specific port misuse rule
is used. For example, if connection matches an ACL rule which has a service policy with port misuse policy also having a
rule matching the connection, that port misuse rule is applied. Otherwise the port misuse rule associated via virtual's
service policy is applied, if such rule exists and matches the connection. See also net service-policy.
Port misuse policies could be specified for both virtual server and route domain objects associated with the connection. In
this case all policies are applied. If a policy has a matching rule that drops the connection, and connection fails to pass
L7 protocol test, the connection is terminated and remaining policies are not applied.
EXAMPLES
create security firewall port-misuse-policy web-ports-policy drop-on-l7-mismatch no log-on-l7-mismatch yes rules add { p80
{ ip-protocol tcp port 80 l7-protocol http drop-on-l7-mismatch yes } p8080 { ip-protocol tcp port 8080 l7-protocol http } }
list security firewall port-misuse-policy web-ports-policy
security firewall port-misuse-policy web-ports-policy {
drop-on-l7-mismatch no
log-on-l7-mismatch yes
rules {
p80 {
drop-on-l7-mismatch yes
l7-protocol http
port http
}
p8080 {
l7-protocol http
port webcache
}
}
}
Creates port misuse policy with rules for tcp ports 80 and 8080 that test if first data packet looks like HTTP. The rule
p80 tests all connections that have destination port TCP 80 and drops them if the first data packet does not look like
HTTP. The rule p8080 tests all connections that have destination port TCP 8080 and logs an event if the first data packet
does not look like HTTP (because of policy defaults).
modify security firewall port-misuse-policy web-ports-policy { rules add { p8888 { port 8888 drop-on-l7-mismatch yes }}}
Adds a new rule p8888 to port misuse policy web-ports-policy that tests all connections to TCP port 8888 and drops them and
logs an event when the first data packet does not look like HTTP.
list security firewall port-misuse-policy
Displays the current port misuse policy configuration list.
OPTIONS
description
User defined description.
drop-on-l7-mismatch
Indicates if the connection should be dropped when there is a matching rule in the policy that has drop-on-l7-mismatch
set to use-policy-setting and connection that matches that rule fails L7 protocol test. The default is yes.
log-on-l7-mismatch
Indicates if a port misuse event should be logged when there is a matching rule in the policy that has
log-on-l7-mismatch set to use-policy-setting and connection that matches that rule fails L7 protocol test. The default
is no.
rules
Adds, deletes, or replaces a named port misuse policy rule.
description
User defined description.
drop-on-l7-mismatch
Indicates if the connection should be dropped when it matches this rule but fails L7 protocol test. Allowed
values are yes, no, and use-policy-setting. The default is use-policy-setting.
ip-protocol
Specifies the transport layer (L4) IP protocol for matching the connection. The valid protocols are sctp, tcp,
and udp. A port and L4 protocol combination must be unique for the policy. The default is tcp.
l7-protocol
Specifies the application layer (L7) protocol for the rule. When the connection matches the rule the first data
packet is tested to conform to this protocol. If the test is negative the rule can drop the connection and/or log
a port misuse event depending on other options. If the test is positive or inconclusive (not enough data) the
connection is handled as if there was no port misuse policy associated with the given object (virtual server or
route domain), and policies at other objects are applied. Press the key for a full list of valid protocols.
The default protocol is http.
log-on-l7-mismatch
Indicates if a port misuse event should be logged when the connection matches this rule but fails L7 protocol
test. Allowed values are yes, no, and use-policy-setting. The default is use-policy-setting.
port Specifies the destination port number for matching the connection. The valid values are 1-65535. A port and L4
protocol combination must be unique for the policy.
SEE ALSO
create, edit, list, modify, security firewall rule-list, security firewall policy, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2013-2015. All rights reserved.
BIG-IP 2015-07-14 security firewall port-misuse-policy(1)