security firewall port-misuse-policy¶

security firewall port-misuse-policy(1) BIG-IP TMSH Manual security firewall port-misuse-policy(1)

NAME
port-misuse-policy - Configures the port misuse policies.

MODULE
security firewall

SYNTAX
Configure the port misuse policy component within the security firewall module using the syntax shown in the
following sections.

CREATE/MODIFY
create port-misuse-policy [name]
modify port-misuse-policy [name]
options:
app-service [[string] | none]
description [string]
drop-on-l7-mismatch [no | yes]
log-on-l7-mismatch [no | yes]
rules [add | delete | modify | replace-all-with] {
[ [rule name] ] {
options:
description [string]
drop-on-l7-mismatch [no | yes | use-policy-setting]
ip-protocol [sctp | tcp | udp]
l7-protocol [protocol name]
log-on-l7-mismatch [no | yes | use-policy-setting]
port [port]
}
}
rules none

edit port-misuse-policy [[name] | all]
options:
all-properties
non-default-properties

DISPLAY
list port-misuse-policy
show running-config port-misuse-policy
options:
all-properties
non-default-properties
one-line

DELETE
delete port-misuse-policy [[name] | all]

DESCRIPTION
You can use the port-misuse-policy component to configure a shareable and reusable set of network port misuse
policies which can be associated with a service policy objects. A port misuse policy has one or more rules
that match connections by IP transport layer (L4) protocol and port number. Each rule must have a unique L4
protocol and port combination within the policy. When connection matches a policy rule (i.e. L4 protocol/port
pair) the first data packet of the connection is tested to conform to application (L7) protocol specified in
the rule. If data conforms to the L7 protocol (or test is inconclusive) the policy stops. The connection is
allowed to proceed normally and data is processed as if no policy is in use. If data definitely does not
conform to the specified L7 protocol the connection is treated according to configuration of the matched rule
or the policy if rule uses policy defaults. In this case the rule or policy can drop the connection or allow
it to proceed, and can also log an event about L7 protocol mismatch.

Port misuse policy (via service policy) can be associated with objects of the following types: ltm virtual,
net route-domain, global. Several port misuse policies can be associated with objects of each type. In
addition to service policy specified in the object itself, service policies could be associated with ACL rules
of the security firewall policy, if it is associated with the object. When more than one policy is associated
with the object the most specific port misuse rule is used. For example, if connection matches an ACL rule
which has a service policy with port misuse policy also having a rule matching the connection, that port
misuse rule is applied. Otherwise the port misuse rule associated via virtual's service policy is applied, if
such rule exists and matches the connection. See also net service-policy.

Port misuse policies could be specified for both virtual server and route domain objects associated with the
connection. In this case all policies are applied. If a policy has a matching rule that drops the connection,
and connection fails to pass L7 protocol test, the connection is terminated and remaining policies are not
applied.

EXAMPLES
create security firewall port-misuse-policy web-ports-policy drop-on-l7-mismatch no log-on-l7-mismatch yes
rules add { p80 { ip-protocol tcp port 80 l7-protocol http drop-on-l7-mismatch yes } p8080 { ip-protocol tcp
port 8080 l7-protocol http } }

list security firewall port-misuse-policy web-ports-policy
security firewall port-misuse-policy web-ports-policy {
drop-on-l7-mismatch no
log-on-l7-mismatch yes
rules {
p80 {
drop-on-l7-mismatch yes
l7-protocol http
port http
}
p8080 {
l7-protocol http
port webcache
}
}
}

Creates port misuse policy with rules for tcp ports 80 and 8080 that test if first data packet looks like
HTTP. The rule p80 tests all connections that have destination port TCP 80 and drops them if the first data
packet does not look like HTTP. The rule p8080 tests all connections that have destination port TCP 8080 and
logs an event if the first data packet does not look like HTTP (because of policy defaults).

modify security firewall port-misuse-policy web-ports-policy { rules add { p8888 { port 8888
drop-on-l7-mismatch yes }}}

Adds a new rule p8888 to port misuse policy web-ports-policy that tests all connections to TCP port 8888 and
drops them and logs an event when the first data packet does not look like HTTP.

list security firewall port-misuse-policy

Displays the current port misuse policy configuration list.

OPTIONS
description
User defined description.

drop-on-l7-mismatch
Indicates if the connection should be dropped when there is a matching rule in the policy that has
drop-on-l7-mismatch set to use-policy-setting and connection that matches that rule fails L7 protocol
test. The default is yes.

log-on-l7-mismatch
Indicates if a port misuse event should be logged when there is a matching rule in the policy that has
log-on-l7-mismatch set to use-policy-setting and connection that matches that rule fails L7 protocol
test. The default is no.

rules
Adds, deletes, or replaces a named port misuse policy rule.

description
User defined description.

drop-on-l7-mismatch
Indicates if the connection should be dropped when it matches this rule but fails L7 protocol test.
Allowed values are yes, no, and use-policy-setting. The default is use-policy-setting.

ip-protocol
Specifies the transport layer (L4) IP protocol for matching the connection. The valid protocols are
sctp, tcp, and udp. A port and L4 protocol combination must be unique for the policy. The default is
tcp.

l7-protocol
Specifies the application layer (L7) protocol for the rule. When the connection matches the rule the
first data packet is tested to conform to this protocol. If the test is negative the rule can drop
the connection and/or log a port misuse event depending on other options. If the test is positive or
inconclusive (not enough data) the connection is handled as if there was no port misuse policy
associated with the given object (virtual server or route domain), and policies at other objects are
applied. Press the key for a full list of valid protocols. The default protocol is http.

log-on-l7-mismatch
Indicates if a port misuse event should be logged when the connection matches this rule but fails L7
protocol test. Allowed values are yes, no, and use-policy-setting. The default is use-policy-
setting.

port Specifies the destination port number for matching the connection. The valid values are 1-65535. A
port and L4 protocol combination must be unique for the policy.

SEE ALSO
create, edit, list, modify, security firewall rule-list, security firewall policy, net service-policy, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

BIG-IP 2015-07-14 security firewall port-misuse-policy(1)