Firewall Policies

Objective

This guide provides instructions on how to create a firewall policy using the guided wizards in F5® Distributed Cloud Services. The firewall policies are applied to traffic ingressing, egressing, or originated on the F5 Gateway.

To know more about the network policy, see Network Policy.

Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure your network.


Prerequisites

Note: If you do not have an account, see Create an Account.

  • One or more cloud or edge locations with F5 Sites.

Note: Install the node or cluster image in your Cloud or Edge location.


Configuration


Create Network Policy

Features can be viewed, and managed in multiple services.

This example shows Firewall Policies setup in Cloud and Edge Sites.

Step 1: Open F5® Distributed Cloud Console > select Firewall Policies.
  • Open F5® Distributed Cloud Console homepage, select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Manage > Firewall > Firewall Policies in left menu.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add Firewall Policy button.

NETWORKPOLICIES2 2 2
Figure: Open Firewall Policies

  • Enter Name, enter Labels and Description as needed.

NETWORKFIREWALL NETWORKPOLICIES 7 2 2
Figure: Configure Firewall Policies

Step 2: Configure Endpoint.
  • Select Endpoint(s) option from drop-down menu in Policy for Endpoints section.

    • IPV4 Prefix List > enter Prefixes in box that appears below.

    • Any Endpoint.

    • Endpoints reachable via all Outside Interfaces.

    • Endpoints reachable via all Inside Interfaces.

    • Label Selector > Select Expression label in drop-down menu that appears.

    Note: A Label that identifies an Endpoint.

NETWORKPOLICIES ENDPOINTS4 2 2
Figure: Endpoint selection - IPv4 Prefix List and the prefix

Step 3: Configure Rules.
  • Configure Ingress Rules or Egress Rules (or both) to define the direction in which you want to apply your policies in Connections to Policy Endpoints boxes.

Note: The ingress and egress rules are with respect to the endpoint configured.

NETWORKPOLICIES ENDPOINTS4 2 2 4
Figure: Ingress and Egress Rules

Ingress Rules:

  • Select Configure link in Ingress section.

  • Select + Add item button in ingress rule configuration new window.

    • Enter Name, and Description as needed.

    • Select Action option in drop-down menu: Deny or Allow.

    • Select Other Endpoint from drop-down menu options, enter endpoint configuration accordingly. All endpoints are set by default.

    • Select Type of Traffic to Match drop-down menu option. Selectively apply the rule for traffic type such as TCP traffic. All traffic is matched by default.

    • Select Keys in Label Matcher box > + Add item button > select keys from drop-down menu.

    • Toggle Show Advanced Fields to show Logging Action drop-down menu option.

    • Select + Add Item button to return to Ingress Rules.

    • Select Apply button to finish configuring Ingress Rules.

This example shows an ingress rule that denies all ingress traffic.

NETWORKPOLICIES DENYINGRESS3 1 2 2
Figure: Ingress Rule Configuration

Egress Rules:

  • Select Configure link in Egress section.

  • Select + Add item button in egress rule configuration new window.

  • Configure Egress Rules following steps from Ingress Rules above.

Note: You can add more rules using the Add item option.

Step 4: Add and Verify Firewall Policy creation.
  • Select Save and Exit button.

  • Verify policy is displaying in Manage > Firewall > Firewall Policies.

Note: When you create an active firewall policy, an implicit DENY ALL rule is inserted at the end. If you are selecting traffic to DENY, and you want everything else to be allowed ensure to create at the end of your policies one last policy which allows ALL traffic.

Step 5: Attach Policy to Network Firewall.

After creating the network policy, you can attach it to the network firewall.

  • Select Manage > Firewall > Network Firewalls.

  • Select ... > Manage Configuration on your firewall from the displayed list.

NETWORKPOLICIES 5 2 2 2 2
Figure: Edit Network Firewall

  • Select Edit Configuration in top-right corner.

  • In Firewall Policy section > Select Firewall Policy Configuration drop-down menu > select Active Firewall Policies.

NETWORKPOLICIES 5 4 2 2
Figure: Edit Network Firewall

  • Select the created firewall policy from the drop-down list in List of Firewall policy box.

  • Ensure that you insert a policy that allows all traffic at the end.

  • Select Save and Exit button.

Note: You can add multiple policies using the + Add item option.

Step 6: Verify Firewall Policy operation.
  • Select Manage > Firewall > Firewall Policies.

  • Check the Hits field for the displayed list of firewall policies. This indicates how many times firewall policy is applied to the traffic.

  • Select on the # of Hits column to display Network firewall hits for allow-all pop-up window to see which rules are applied and how many times they are applied.

Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.


Concepts


API References