security firewall policy
security firewall policy(1) BIG-IP TMSH Manual security firewall policy(1)
NAME
policy - Configures firewall policy.
MODULE
security firewall
SYNTAX
Modify the policy component within the security firewall module using the syntax shown in the following
sections.
CREATE/MODIFY
create policy [name]
options:
copy-from [string]
modify policy [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
action [accept | accept-decisively | drop | reject]
description [string]
destination {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | none | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
zones [add | delete | replace-all-with] {
[ zone names]
}
zones none
}
icmp [add | delete | modify | replace-all-with] {
[ [icmp_type] | icmp_type:icmp_code ] {
description [string]
}
}
icmp none
ip-protocol [protocol name]
irule [irule name]
irule-sample-rate [integer]
log [no | yes]
place-after [first | last | [rule name]]
place-before [first | last | [rule name]]
rule-list [rule list name]
schedule [schedule name]
uuid [ | none | auto-generate]
source {
address-lists [add | default | delete | replace-all-with] {
[address list names...]
}
address-lists none
addresses [add | default | delete | replace-all-with] {
[ [ip address] | [ip_address/prefixlen] ]
}
addresses none
fqdns [add | delete | replace-all-with] {
[ fully qualified domain names]
}
fqdns none
geo [add | default | delete | replace-all-with] {
[ [country_code [state state_name] ] ]
}
geo none
identity {
user-groups [add | delete | modify | none | replace-all-with] {
[user group names...]
}
user-lists [add | delete | modify | none | replace-all-with] {
[user list names...]
}
users [add | delete | modify | none | replace-all-with] {
[user names...]
}
}
ipi-category [add | default | delete | replace-all-with] {
[ IP-Intelligence category names... ]
}
ipi-category none
port-lists [add | default | delete | replace-all-with] {
[port list names...]
}
port-lists none
ports [add | default | delete | replace-all-with] {
[ [port] | [port1-port2] ]
}
ports none
vlans [add | default | delete | replace-all-with] {
[vlan names...]
}
vlans none
zones [add | delete | replace-all-with] {
[ zone names]
}
zones none
}
status [disabled | enabled | scheduled]
service-policy [service policy name]
virtual-server [virtual server name]
ips-profile [IPS profile name]
classification-policy [classification policy name]
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
show running-config policy
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the policy component to configure a shareable and reusable set of network firewall rules which can
be associated as enforced or staged with a number of configuration objects of the following types: net self,
ltm virtual, security firewall global-rules, net route-domain.
EXAMPLES
modify policy rules add {
reject-internal-net {
place-before first
action reject
source {
addresses replace-all-with { 172.27.0.0/16 }
} }
Creates a rule entry at the beginning of the list that rejects traffic from the 172.27.0.0 network.
modify policy rules delete reject-internal-net
Removes the rule reject-internal-net from the list of rules.
create security firewall policy p1 rules add { r1 { source { geo add { US } } action reject place-after first
} } Creates a policy with a single rule that rejects all packets from the US.
create security firewall policy xyz rules add { r1 { destination { fqdns add { f5.com } } action accept place-
after first } } Creates a policy named 'xyz' with a single rule (named 'r1') that accepts all packets with
destination IP address in domain 'f5.com'.
list policy
Displays the current list of policy rules.
create policy "New Policy" copy-from "/Common/Existing Policy"
Creates a new policy New Policy by copying existing policy /Common/Existing Policy.
OPTIONS
description
User defined description.
copy-from
(CREATE)Specifies the name of an existing policy from which to copy all configuration options.
rules
Adds, deletes, or replaces a firewall rule.
action
Specifies the action that the system takes when a rule is matched.
accept
Specifies that the current packet should be accepted.
accept-decisively
Specifies that the current packet should be accepted and that packet will not be compared to
any other firewall rules in any other context.
drop Specifies that the current packet should be silently dropped. Nothing is sent back to the
packet source. The packet is not compared to any other firewall rules.
reject
Specifies that the current packet should be dropped. For TCP based protocols a TCP reset is
sent to the source. For other protocols reject is equivalent to drop.
description
User defined description.
destination
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet
will be compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to compare against packet's destination IP
address domain.
geo Specifies a list of Geo Locations that the packet will be compared against.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will
be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
zones
Specifies a list of zones, (see security firewall zone) against which the packet will be
compared.
icmp Specifies a list of ICMP types and codes against which the packet will be compared. The standard
integer identifiers are used to specify an ICMP type Example: 3 is destination unreachable and 3:1
is destination unreachable with a code of host unreachable. The list of ICMP types and codes can be
found here http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
ip-protocol
Specifies the IP protocol against which the packet will be compared.
irule
Specifies the name of the iRule that will be triggered when a packet matches this firewall rule. The
firewall rule match raises a FLOW_INIT iRule event.
irule-sample-rate
Specifies the rate at which an iRule specified by irule option will be triggered when a packet
matches this firewall rule. The rate is an integer value in the range 0-65535 and specifies how many
packets must match this firewall rule before the iRule is triggered. The default value is 1 and
causes the iRule to be triggered for every packet that matches this firewall rule. A value of 0
disables iRule triggering.
log Specifies whether the packet will be logged if it matches the rule. Logging must also be enabled in
the corresponding logging configuration. (e.g. security log profile global-network when policy
assigned to global-rules). Note that the statistics counter is always incremented when a packet
matches a rule.
place-after
Specifies that a new rule should be placed after another rule, first or last. If individual rules
are being added (as opposed to specifying replace-all-with) then place-before or place-after must be
specified.
place-before
Specifies that a new rule should be placed before another rule, first or last. If individual rules
are being added (as opposed to specifying replace-all-with) then place-before or place-after must be
specified.
rule-list
Specifies a list of rules to evaluate. See security firewall rule-list. If a rule-list is specified
then only the schedule and status properties effect the rule.
schedule
Specifies a schedule for the rule. See security firewall schedule. If the rule refers to a rule-
list the rule-list will be enabled according to the schedule. When the rule list is enabled, the
schedules defined within the rule-list will be honored.
source
address-lists
Specifies a list of address lists (see security firewall address-list) against which the packet
will be compared.
addresses
Specifies a list of addresses and networks against which the packet will be compared.
fqdns
Specifies a list of fully qualified domain names to compare against packet's source IP address
domain.
geo Specifies a list of Geo Locations against which the packet will be compared.
ipi-category
Specifies a list of IP-Intelligence category names that the packet will be compared against.
port-lists
Specifies a list of port lists (see security firewall port-list) against which the packet will
be compared.
ports
Specifies a list of ports and port ranges against which the packet will be compared.
vlans
Specifies a list of vlans, vlan groups and tunnels against which the packet will be compared.
zones
Specifies a list of zones, (see security firewall zone) against which the packet will be
compared.
status
Specifies whether the rule is enabled, disabled or scheduled. A rule that is enabled is always
checked. A rule that is disabled is never checked. A rule that is scheduled is checked according to
the corresponding schedule configuration. A rule that is scheduled must have an associated schedule
configuration.
service-policy
Specifies the service policy configuration to use. (see "net service-policy"). The service policy
can be used to set specific policy based configurations like flow timers, which applies to the flows
that matches the rule.
uuid Specifies how this rule UUID is assigned: assign a explict uuid based on RFC-4122, empty UUID (none
value), or an auto-generated uuid by system (auto-generated value) based on system wide
mode:[uuid-default-autogenerate mode] when creating a rule.
virtual-server
Specifies the virtual server name that will be used for further traffic processing. Option is valid
only for global and/or route domain contexts.
SEE ALSO
create, edit, list, modify, security firewall address-list, security firewall port-list, security firewall
rule-list, security log profile, security firewall schedule, net service-policy, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights reserved.
BIG-IP 2018-09-17 security firewall policy(1)