Firewall Policies
Objective
This guide provides instructions on how to create a firewall policy using the guided wizards in F5® Distributed Cloud Services. The firewall policies are applied to traffic ingressing, egressing, or originated on the F5 Gateway.
To know more about the network policy, see Network Policies.
Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure your network.
Prerequisites
- A valid Account is required.
Note: If you do not have an account, see Create an Account.
- One or more cloud or edge locations with F5 Sites.
Note: Install the node or cluster image in your Cloud or Edge location.
Create Network Policy
Step 1: Open F5 Distributed Cloud Console, select Firewall Policies.
- Open
F5® Distributed Cloud Console
homepage, selectMulti-Cloud Network Connect
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.

Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
-
Select
Manage
> selectFirewall
. -
Select
Firewall Policies
.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
- Select
+ Add Firewall Policy
button.

- Enter
Name
, enterLabels
andDescription
as needed.

Step 2: Configure Endpoint.
-
Select
Endpoint(s)
option from drop-down menu inPolicy for Endpoints
section.-
IPV4 Prefix List
> enterPrefixes
in box that appears below. -
Any Endpoint
. -
Endpoints reachable via all Outside Interfaces
. -
Endpoints reachable via all Inside Interfaces
. -
Label Selector
>Select Expression
label in drop-down menu that appears.
Note: A Label that identifies an Endpoint.
-

Step 3: Configure Rules.
- Configure
Ingress Rules
orEgress Rules
(or both) to define the direction in which you want to apply your policies inConnections to Policy Endpoints
boxes.
Note: The ingress and egress rules are with respect to the endpoint configured.

Ingress Rules:
-
Select
Configure
link inIngress
section. -
Select
+ Add item
button in ingress rule configuration new window.-
Enter
Name
, andDescription
as needed. -
Select
Action
option in drop-down menu:Deny
orAllow
. -
Select Other Endpoint
from drop-down menu options, enter endpoint configuration accordingly. All endpoints are set by default. -
Select Type of Traffic to Match
drop-down menu option. Selectively apply the rule for traffic type such as TCP traffic. All traffic is matched by default. -
Select
Keys
inLabel Matcher
box >+ Add item
button > selectkeys
from drop-down menu. -
Toggle
Show Advanced Fields
to showLogging Action
drop-down menu option. -
Select
+ Add Item
button to return toIngress Rules
. -
Select
Apply
button to finish configuringIngress Rules
.
-
This example shows an ingress rule that denies all ingress traffic.

Egress Rules:
-
Select
Configure
link inEgress
section. -
Select
+ Add item
button in egress rule configuration new window. -
Configure
Egress Rules
following steps fromIngress Rules
above.
Note: You can add more rules using the
Add item
option.
Step 4: Add and Verify Firewall Policy creation.
-
Select
Save and Exit
button. -
Verify policy is displaying in
Manage
>Firewall
>Firewall Policies
.
Note: When you create an active firewall policy, an implicit
DENY ALL
rule is inserted at the end. If you are selecting traffic to DENY, and you want everything else to be allowed ensure to create at the end of your policies one last policy which allows ALL traffic.
Step 5: Attach Policy to Network Firewall.
After creating the network policy, you can attach it to the network firewall.
-
Select
Manage
>Firewall
>Network Firewalls
. -
Select
...
>Manage Configuration
on your firewall from the displayed list.
-
Select
Edit Configuration
in top-right corner. -
In
Firewall Policy
section >Select Firewall Policy Configuration
drop-down menu > selectActive Firewall Policies
.

-
Select the created firewall policy from the drop-down list in
List of Firewall policy
box. -
Ensure that you insert a policy that allows all traffic at the end.
-
Select
Save and Exit
button.
Note: You can add multiple policies using the
+ Add item
option.
Step 6: Verify Firewall Policy operation.
-
Select
Manage
>Firewall
>Firewall Policies
. -
Check the
Hits
field for the displayed list of firewall policies. This indicates how many times firewall policy is applied to the traffic. -
Select on the
number
ofHits
column to displayNetwork firewall hits for allow-all
pop-up window to see which rules are applied and how many times they are applied.
Note: You can obtain the policy or rule hits over a specific time interval using the time interval selector option.