security firewall policy
security firewall policy(1) BIG-IP TMSH Manual security firewall policy(1)
NAME
policy - Configures firewall policy.
MODULE
security firewall
SYNTAX
Modify the policy component within the security firewall module using
the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
options:
copy-from [string]
modify policy [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
action [accept | accept-decisively | drop | reject]
description [string]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
}
icmp [add | delete | modify | replace-all-with] {
[ [icmp_type] | icmp_type:icmp_code ] {
description [string]
}
}
icmp none
ip-protocol [protocol name]
irule [irule name]
irule-sample-rate [integer]
log [no | yes]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
rule-list [rule list name]
schedule [schedule name]
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
identity {
user-groups [add | delete | modify | none | replace-all-with] {
[user group names...]
}
user-lists [add | delete | modify | none | replace-all-with] {
[user list names...]
}
users [add | delete | modify | none | replace-all-with] {
[user names...]
}
}
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
}
status [disabled | enabled | scheduled]
service-policy [service policy name]
virtual-server [virtual server name]
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable
set of network firewall rules which can be associated as enforced or
staged with a number of configuration objects of the following types:
net self, ltm virtual, security firewall global-rules, net route-
domain.
EXAMPLES
modify policy rules add {
reject-internal-net {
place-before first
action reject
source {
addresses replace-all-with { 172.27.0.0/16 }
} }
Creates a rule entry at the beginning of the list that rejects traffic
from the 172.27.0.0 network.
modify policy rules delete reject-internal-net
Removes the rule reject-internal-net from the list of rules.
create security firewall policy p1 rules add { r1 { source { geo add {
US } } action reject place-after first } } Creates a policy with a
single rule that rejects all packets from the US.
create security firewall policy xyz rules add { r1 { destination {
fqdns add { f5.com } } action accept place-after first } } Creates a
policy named 'xyz' with a single rule (named 'r1') that accepts all
packets with destination IP address in domain 'f5.com'.
list policy
Displays the current list of policy rules.
create policy "New Policy" copy-from "/Common/Existing Policy"
Creates a new policy New Policy by copying existing policy
/Common/Existing Policy.
OPTIONS
description
User defined description.
copy-from
(CREATE)Specifies the name of an existing policy from which to
copy all configuration options.
rules
Adds, deletes, or replaces a firewall rule.
action
Specifies the action that the system takes when a rule is
matched.
accept
Specifies that the current packet should be accepted.
accept-decisively
Specifies that the current packet should be accepted and
that packet will not be compared to any other firewall
rules in any other context.
drop Specifies that the current packet should be silently
dropped. Nothing is sent back to the packet source. The
packet is not compared to any other firewall rules.
reject
Specifies that the current packet should be dropped. For
TCP based protocols a TCP reset is sent to the source.
For other protocols reject is equivalent to drop.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall
address-list) against which the packet will be compared.
addresses
Specifies a list of addresses and networks against which
the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to
compare against packet's destination IP address domain.
geo Specifies a list of Geo Locations that the packet will
be compared against.
port-lists
Specifies a list of port lists (see security firewall
port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which
the packet will be compared.
icmp Specifies a list of ICMP types and codes against which the
packet will be compared. The standard integer identifiers are
used to specify an ICMP type Example: 3 is destination
unreachable and 3:1 is destination unreachable with a code of
host unreachable. The list of ICMP types and codes can be
found here
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
ip-protocol
Specifies the IP protocol against which the packet will be
compared.
irule
Specifies the name of the iRule that will be triggered when a
packet matches this firewall rule. The firewall rule match
raises a FLOW_INIT iRule event.
irule-sample-rate
Specifies the rate at which an iRule specified by irule
option will be triggered when a packet matches this firewall
rule. The rate is an integer value in the range 0-65535 and
specifies how many packets must match this firewall rule
before the iRule is triggered. The default value is 1 and
causes the iRule to be triggered for every packet that
matches this firewall rule. A value of 0 disables iRule
triggering.
log Specifies whether the packet will be logged if it matches the
rule. Logging must also be enabled in the corresponding
logging configuration. (e.g. security log profile global-
network when policy assigned to global-rules). Note that the
statistics counter is always incremented when a packet
matches a rule.
place-after
Specifies that a new rule should be placed after another
rule, first or last. If individual rules are being added (as
opposed to specifying replace-all-with) then place-before or
place-after must be specified.
place-before
Specifies that a new rule should be placed before another
rule, first or last. If individual rules are being added (as
opposed to specifying replace-all-with) then place-before or
place-after must be specified.
rule-list
Specifies a list of rules to evaluate. See security firewall
rule-list. If a rule-list is specified then only the schedule
and status properties effect the rule.
schedule
Specifies a schedule for the rule. See security firewall
schedule. If the rule refers to a rule-list the rule-list
will be enabled according to the schedule. When the rule list
is enabled, the schedules defined within the rule-list will
be honored.
source
address-lists
Specifies a list of address lists (see security firewall
address-list) against which the packet will be compared.
addresses
Specifies a list of addresses and networks against which
the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to
compare against packet's source IP address domain.
geo Specifies a list of Geo Locations against which the
packet will be compared.
port-lists
Specifies a list of port lists (see security firewall
port-list) against which the packet will be compared.
ports
Specifies a list of ports and port ranges against which
the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels
against which the packet will be compared.
status
Specifies whether the rule is enabled, disabled or scheduled.
A rule that is enabled is always checked. A rule that is
disabled is never checked. A rule that is scheduled is
checked according to the corresponding schedule
configuration. A rule that is scheduled must have an
associated schedule configuration.
service-policy
Specifies the service policy configuration to use. (see "net
service-policy"). The service policy can be used to set
specific policy based configurations like flow timers, which
applies to the flows that matches the rule.
virtual-server
Specifies the virtual server name that will be used for
further traffic processing. Option is valid only for global
and/or route domain contexts.
SEE ALSO
create, edit, list, modify, security firewall address-list, security
firewall port-list, security firewall rule-list, security log profile,
security firewall schedule, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights
reserved.
BIG-IP 2016-04-18 security firewall policy(1)