Create Firewall Policy


This guide provides instructions on how to create a firewall policy and enhanced firewall policy using the guided wizards in F5® Distributed Cloud Console. The firewall policies are applied to traffic ingressing, egressing, or originated on the F5 Gateway.

An enhanced firewall policy provides advanced features when compared to a standard firewall policy. For example, an enhanced firewall policy enables you to create network level policies based on VPC tags, VPC IDs, IP, and IP prefix set object. The label selector option can also be used for selecting traffic coming from VPC-level tags, a global network, or interfaces. You can also configure the enhanced firewall policy to allow, deny, or forward traffic to an NFV service (like BIG-IP virtual edition, Palo Alto Networks Firewall, etc.).

To learn more about a network policy, see Network Policies.

Using the instructions provided in this document, you can create network policies with policy rules that control the traffic to secure your network.


Create Firewall Policy

Step 1: Navigate to firewall policies creation form.
  • Open F5® Distributed Cloud Console homepage, select Multi-Cloud Network Connect box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills > Advanced box > check Work Domain boxes > Save changes.

Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage > select Firewall.

  • Select Firewall Policies.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Firewall Policy.
Figure: Open Firewall Policies
  • Enter Name, enter Labels and Description as needed.
Figure: Configure Firewall Policies
Step 2: Configure endpoint.
  • Select Endpoint(s) option from drop-down menu in Policy for Endpoints section.

    • IPV4 Prefix List > enter Prefixes in box that appears below.

    • Any Endpoint.

    • Endpoints reachable via all Outside Interfaces.

    • Endpoints reachable via all Inside Interfaces.

    • Label Selector > Select Expression label in drop-down menu that appears.

    Note: A Label that identifies an Endpoint.

Figure: Endpoint selection - IPv4 Prefix List and the prefix
Step 3: Configure rules.
  • Configure Ingress Rules or Egress Rules (or both) to define the direction in which you want to apply your policies in Connections to Policy Endpoints boxes.

Note: The ingress and egress rules are with respect to the endpoint configured.

Figure: Ingress and Egress Rules

Ingress Rules:

  • Select Configure link in Ingress section.

  • Select Add item in ingress rule configuration new window.

    • Enter Name, and Description as needed.

    • Select Action option in drop-down menu: Deny or Allow.

    • Select Other Endpoint from drop-down menu options, enter endpoint configuration accordingly. All endpoints are set by default.

    • Select Type of Traffic to Match drop-down menu option. Selectively apply the rule for traffic type such as TCP traffic. All traffic is matched by default.

    • Select Keys in Label Matcher box > Add item > select keys from drop-down menu.

    • Toggle Show Advanced Fields to show Logging Action drop-down menu option.

    • Select Add Item to return to Ingress Rules.

    • Select Apply to finish configuring Ingress Rules.

This example shows an ingress rule that denies all ingress traffic.

Figure: Ingress Rule Configuration

Egress Rules:

  • Select Configure link in Egress section.

  • Select Add item in egress rule configuration new window.

  • Configure Egress Rules following steps from Ingress Rules above.

Note: You can add more rules using the Add item option.

Step 4: Add and verify firewall policy creation.
  • Select Save and Exit.

  • Verify policy is displayed in Manage > Firewall > Firewall Policies.

Note: When you create an active firewall policy, an implicit DENY ALL rule is inserted at the end. If you are selecting traffic to DENY, and you want everything else to be allowed, ensure to create at the end of your policies one last policy which allows ALL traffic.

Step 5: Attach policy to network firewall.

After creating the network policy, you can attach it to the network firewall.

  • Select Manage > Firewall > Network Firewalls.

  • Select ... > Manage Configuration on your firewall from the displayed list.

  • Select Edit Configuration in top-right corner.

  • In Firewall Policy section > Select Firewall Policy Configuration drop-down menu > select Active Firewall Policies.

Figure: Edit Network Firewall
  • Select the created firewall policy from the drop-down list in List of Firewall policy box.

  • Ensure that you insert a policy that allows all traffic at the end.

  • Select Save and Exit.

Note: You can add multiple policies using the Add item option.

Step 6: Verify firewall policy operation.
  • Select Manage > Firewall > Firewall Policies.

  • Check the Hits field for the displayed list of firewall policies. This indicates how many times firewall policy is applied to the traffic.

  • Select on the number of Hits column to display Network firewall hits for allow-all pop-up window to see which rules are applied and how many times they are applied.

Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.

Create Enhanced Firewall Policy

The following steps provide instructions on creating an enhanced firewall policy:

Step 1: Navigate to Enhanced Firewall Policies.
  • In Multi-Cloud Network Connect, select Manage > Firewall > Enhanced Firewall Policies.

  • Click Add Enhanced Firewall Policy.

  • In the Name field, enter a name for the new enhanced firewall policy.

  • From the Select Enhanced Firewall Policy Rule Type menu, select Custom Enhanced Firewall Policy Rule Selection.

  • Click Configure.

  • Click Add Item.

Step 2: Create custom rule.
  • In the Name field, enter a name for this new rule.

  • From the Source Traffic Filter menu, select an option to filter on source traffic.

  • From the Destination Traffic Filter menu, select an option to filter on destination traffic.

  • From the Select Type of Traffic to Match menu, select the type of traffic to match to this new rule.

  • From the Action menu, select the action to take if traffic matches to this new rule. For the NFV service, select Insert an External Service.

  • From the Select External Service menu, select the NFV services object previously created for the firewall.

  • Click Apply.

  • Click Apply.

Step 3: Configure segments.
  • In the Segment Selector section, use the Source Segments drop-down menu to choose which segment(s) traffic is matched against:

    • Any - Traffic is not matched against any segment.
    • Segments - Traffic is matched against listed source segments. Select a segment from the drop-down list to start the list of source segments. Click the Add Item button to add additional segments.
  • Use the Destination Segments to choose the segment(s) where the rule (Step 2) is applied:

    • Any - Traffic is not matched against any segment.
    • Intra Segment - Traffic is matched for source and destination on the same segment.
    • Segments - Traffic is matched against listed destination segments. Select a segment from the drop-down list to start the list of destination segments. Click the Add Item button to add additional segments.
Step 4: Save configuration.

Click Save and Exit.

Note: To add the enhanced firewall policy to your site, see Add Enhanced Firewall Policy to Site.


API References