Create Network Firewall

Published April 5, 2023 | Last modified September 9, 2025

Objective

This guide provides instructions on how to create a Network Firewall using the guided wizards in F5® Distributed Cloud Services. For more information on sites, see Site.

A Network Firewall consists of three elements:

  1. A Forward Proxy Policy: L7 Policies applied when the F5 gateway is used in transit.

  2. A Network Policy: L3-4 Policies applied to traffic ingress, egress, or originated on the F5 Gateway.

  3. Fast access control list (ACL): A set of rules to protect your F5 Gateway.

Using the instructions provided in this guide, you can create a network firewall with all its elements, and apply it to your site or fleet of sites.

Prerequisites

Configuration

Configuration Sequence

Configuring an application firewall requires performing the following sequence of actions:

PhaseDescription
Create a Network FirewallCreate a network firewall with policies and fast ACLs that define the network rules.
Apply Network Firewall on FleetApply the network firewall to the fleet to protect the sites that are part of the fleet.

Important: The creation of a network policy, a forward proxy policy, or a fast ACL is optional. However, it is recommended to protect your network by creating at least one.

Create Network Firewall

Perform the following to create a network firewall:

Step 1: Start network firewall object creation.
  • Open the F5® Distributed Cloud Console homepage and select the Multi-Cloud Network Connect service.
Figure: Homepage

Figure: Homepage

  • Select Manage > Firewall > Network Firewalls in left menu.

  • Select Add Network Firewall.

Figure: Add Network Firewall

Figure: Add Network Firewall

  • Enter Name, and add Labels and Description as needed.
Figure: Add Network Firewall

Figure: Add Network Firewall

Step 2: Configure forward proxy policy.

  • From the Select Forward Policy Configuration menu, select an option:

    • Disable Forward Proxy Policy: Default option.

    • Active Forward Proxy Policies: Select an existing policy from the Forward Proxy Policies menu.

Figure: Forward Policy Configuration

Figure: Forward Policy Configuration

Step 2.1: Configure new forward proxy policy.

For more information, see the Network Firewall guide.

  • From the Forward Proxy Policies menu, click Add Item.

  • Enter Name, and add Labels and Description as needed.

  • From the Select Forward Proxy menu, select an option:

    • All Forward Proxies on Site: All the proxies configured.

    • Network Connector: Specific Network Connector.

    • Network Connector Label Selector: Label that selects network connector.

Figure: Proxies on Site Selection

Figure: Proxies on Site Selection

  • From the Select Policy Rules menu, select an option:

    • Allow all connections: Allows all traffic.

    • Allowed connections: Select Add Item under TLS Domains or HTTP URLs (or both), input information, and then select Apply for connections to allow while everything else is denied. Select option from Default Action drop-down menu.

    • Denied connections: Select Add Item under TLS Domains, HTTP URLs, or L4 Destination List or all, input information, and then select Apply for connections to deny. Everything else will be allowed. Select option from Default Action drop-down menu.

    • Custom Rule List: Select Configure, input information, and then select Apply to add a list of custom rules.

  • Select Continue to add a new forward proxy policy.

  • To add more forward proxy policies, select Add Item.

Step 3: Enable firewall policy.

  • In the Firewall Policy section, perform the following:

    • From the Select Firewall Policy Configuration menu, select an option to activate or disable network policies for your network firewall. You can activate a firewall policy or enable an enhanced firewall policy. For more information, see the Firewall Policies guide.

    • From the Firewall Policy menu, select the firewall policy previously created.

Figure: Firewall Policy Configuration

Figure: Firewall Policy Configuration

  • To create a new firewall policy:

    • From the Firewall Policy menu, select Add Item.

    • Enter Name, and add Labels and Description as needed.

    • From the Endpoint(s) menu, select an option:

      • IPv4i/IPv6 Prefix List: Click Add Item to add the prefix in the box that appears below.

      • Any Endpoint

      • Endpoints Reachable via all Outside Interfaces

      • Endpoints Reachable via all Inside Interfaces

      • Label Selector: Click Add Label to define a label that identifies an endpoint.

Figure: Endpoint Selection

Figure: Endpoint Selection

Step 4: Configure ingress and egress rules.

Configure ingress and egress rules for a network firewall.

Step 4.1: Configure ingress rules.

  • Select Configure in Connections To Policy Endpoints section.

  • Select Add Item.

  • Enter Name.

  • From the Action menu, choose to deny or allow for a rule match.

  • Toggle Show Advanced Fields to show Logging Action drop-down menu to select a logging option.

  • From the Select Other Endpoint drop-down menu, select an option for the ingress source endpoint.

  • From the Select Type of Traffic to Match drop-down menu, select the type of traffic to match. Default option matches all types of traffic. If you match for application traffic, select the Application Protocols to use. If you match for protocol and port ranges, select the Protocols to use.

  • Optionally, choose to match using label keys with Add Item in Keys box. To add additional keys, select Add Item.

  • Select Apply to add the configuration rules.

  • Select Apply to add the ingress rules.

Step 4.2: Configure egress rules.

  • Select Configure in Connections From Policy Endpoints section.

  • Select Add Item.

  • Enter Name.

  • From the Action menu, choose to deny or allow for a rule match.

  • Toggle Show Advanced Fields to show Logging Action drop-down menu to select a logging option.

  • From the Select Other Endpoint drop-down menu, select an option for the egress source endpoint.

  • From the Select Type of Traffic to Match drop-down menu, select the type of traffic to match. Default option matches all types of traffic. If you match for application traffic, select the Application Protocols to use. If you match for protocol and port ranges, select the Protocols to use.

  • Optionally, choose to match using label keys with Add Item in Keys box. To add additional keys, select Add Item.

  • Select Apply to add the configuration rules.

  • Select Apply to add the egress rules.

  • Select Continue.

Step 5: Configure Fast ACL.

  • From the Select Fast ACL Configuration drop-down menu, select an option from the following:

    • Disable Fast ACL: Fast ACL is disabled for this network firewall.

    • Active Fast ACL(s): Fast ACL is active for this network firewall. Select Fast ACL drop-down menu to select corresponding Fast ACL. For more information, see Fast ACLs.

  • Select Save and Exit to complete configuration.

Apply Network Firewall to Fleet

After your network firewall is configured, you will need to apply it to your fleet so that the sites on that fleet are configured with the network firewall defined.

Step 1: Edit fleet configuration.

  • In the Multi-Cloud Network Connect service, click Manage > Site Management > Fleets.

  • Find your Fleet and select ... > Manage Configuration to open pop-up window to edit.

  • Select Edit Configuration in upper-right corner of the pop-up window.

Step 2: Select network firewall object.

In the Network Firewall section, from the Network Firewall menu, select the firewall previously created.

Step 3: Complete configuration.

Select Save and Exit.

Concepts

API References

On this page: