security firewall port-misuse-policy
security firewall port-misuse-BIG-IP(TMsecuritylfirewall port-misuse-policy(1)
NAME
port-misuse-policy - Configures the port misuse policies.
MODULE
security firewall
SYNTAX
Configure the port misuse policy component within the security firewall
module using the syntax shown in the following sections.
CREATE/MODIFY
create port-misuse-policy [name]
modify port-misuse-policy [name]
options:
app-service [[string] | none]
description [string]
drop-on-l7-mismatch [no | yes]
log-on-l7-mismatch [no | yes]
rules [add | delete | modify | replace-all-with] {
[ [rule name] ] {
options:
description [string]
drop-on-l7-mismatch [no | yes | use-policy-setting]
ip-protocol [sctp | tcp | udp]
l7-protocol [protocol name]
log-on-l7-mismatch [no | yes | use-policy-setting]
port [port]
}
}
rules none
edit port-misuse-policy [[name] | all]
options:
all-properties
non-default-properties
DISPLAY
list port-misuse-policy
show running-config port-misuse-policy
options:
all-properties
non-default-properties
one-line
DELETE
delete port-misuse-policy [[name] | all]
DESCRIPTION
You can use the port-misuse-policy component to configure a shareable
and reusable set of network port misuse policies which can be
associated with a service policy objects. A port misuse policy has one
or more rules that match connections by IP transport layer (L4)
protocol and port number. Each rule must have a unique L4 protocol and
port combination within the policy. When connection matches a policy
rule (i.e. L4 protocol/port pair) the first data packet of the
connection is tested to conform to application (L7) protocol specified
in the rule. If data conforms to the L7 protocol (or test is
inconclusive) the policy stops. The connection is allowed to proceed
normally and data is processed as if no policy is in use. If data
definitely does not conform to the specified L7 protocol the connection
is treated according to configuration of the matched rule or the policy
if rule uses policy defaults. In this case the rule or policy can drop
the connection or allow it to proceed, and can also log an event about
L7 protocol mismatch.
Port misuse policy (via service policy) can be associated with objects
of the following types: ltm virtual, net route-domain, global. Several
port misuse policies can be associated with objects of each type. In
addition to service policy specified in the object itself, service
policies could be associated with ACL rules of the security firewall
policy, if it is associated with the object. When more than one policy
is associated with the object the most specific port misuse rule is
used. For example, if connection matches an ACL rule which has a
service policy with port misuse policy also having a rule matching the
connection, that port misuse rule is applied. Otherwise the port misuse
rule associated via virtual's service policy is applied, if such rule
exists and matches the connection. See also net service-policy.
Port misuse policies could be specified for both virtual server and
route domain objects associated with the connection. In this case all
policies are applied. If a policy has a matching rule that drops the
connection, and connection fails to pass L7 protocol test, the
connection is terminated and remaining policies are not applied.
EXAMPLES
create security firewall port-misuse-policy web-ports-policy
drop-on-l7-mismatch no log-on-l7-mismatch yes rules add { p80 { ip-
protocol tcp port 80 l7-protocol http drop-on-l7-mismatch yes } p8080 {
ip-protocol tcp port 8080 l7-protocol http } }
list security firewall port-misuse-policy web-ports-policy
security firewall port-misuse-policy web-ports-policy {
drop-on-l7-mismatch no
log-on-l7-mismatch yes
rules {
p80 {
drop-on-l7-mismatch yes
l7-protocol http
port http
}
p8080 {
l7-protocol http
port webcache
}
}
}
Creates port misuse policy with rules for tcp ports 80 and 8080 that
test if first data packet looks like HTTP. The rule p80 tests all
connections that have destination port TCP 80 and drops them if the
first data packet does not look like HTTP. The rule p8080 tests all
connections that have destination port TCP 8080 and logs an event if
the first data packet does not look like HTTP (because of policy
defaults).
modify security firewall port-misuse-policy web-ports-policy { rules
add { p8888 { port 8888 drop-on-l7-mismatch yes }}}
Adds a new rule p8888 to port misuse policy web-ports-policy that tests
all connections to TCP port 8888 and drops them and logs an event when
the first data packet does not look like HTTP.
list security firewall port-misuse-policy
Displays the current port misuse policy configuration list.
OPTIONS
description
User defined description.
drop-on-l7-mismatch
Indicates if the connection should be dropped when there is a
matching rule in the policy that has drop-on-l7-mismatch set to
use-policy-setting and connection that matches that rule fails L7
protocol test. The default is yes.
log-on-l7-mismatch
Indicates if a port misuse event should be logged when there is a
matching rule in the policy that has log-on-l7-mismatch set to
use-policy-setting and connection that matches that rule fails L7
protocol test. The default is no.
rules
Adds, deletes, or replaces a named port misuse policy rule.
description
User defined description.
drop-on-l7-mismatch
Indicates if the connection should be dropped when it matches
this rule but fails L7 protocol test. Allowed values are yes,
no, and use-policy-setting. The default is use-policy-
setting.
ip-protocol
Specifies the transport layer (L4) IP protocol for matching
the connection. The valid protocols are sctp, tcp, and udp. A
port and L4 protocol combination must be unique for the
policy. The default is tcp.
l7-protocol
Specifies the application layer (L7) protocol for the rule.
When the connection matches the rule the first data packet is
tested to conform to this protocol. If the test is negative
the rule can drop the connection and/or log a port misuse
event depending on other options. If the test is positive or
inconclusive (not enough data) the connection is handled as
if there was no port misuse policy associated with the given
object (virtual server or route domain), and policies at
other objects are applied. Press the key for a full
list of valid protocols. The default protocol is http.
log-on-l7-mismatch
Indicates if a port misuse event should be logged when the
connection matches this rule but fails L7 protocol test.
Allowed values are yes, no, and use-policy-setting. The
default is use-policy-setting.
port Specifies the destination port number for matching the
connection. The valid values are 1-65535. A port and L4
protocol combination must be unique for the policy.
SEE ALSO
create, edit, list, modify, security firewall rule-list, security
firewall policy, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2013-2015. All rights reserved.
BIG-IP 2015-security firewall port-misuse-policy(1)