Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jul 05, 2016

AFM Rule Evaluation

It seems in the back of my mind I am forgetting why this happens but I have an ACL similar to this, in this order:

 

1 - Allow tcp/443 from particular sources (some address lists, geo-ip etc) (action accept) 2 - DENY ALL Protocols from any source going anywhere (action drop) 3 - (Default)

 

Somehow I have things hitting the default rule...it seems to me like there was a reason I would see this but I can't think of why now...How is anything getting down to the (Default) if the DENY ALL rule is blocking every portovol, every port, every address, etc?

 

The default mode of this AFM is ADC so the default rule is allow...if we change to AFM mode is whatever is somehow getting past these denies going to be blocked?

 

4 Replies

  • The short answer is that it depends. I am assuming that you are applying these as global rules. Have you enabled logging to see what is being logged? Try taking a capture on the AFM and make sure that you have the rule configured for the actual traffic the box is seeing. If you are hitting default, I would expect it to start being blocked if you switch to firewall mode.
  • This is for a rule on a virtual server. I have logging enabled and the traffic the log is saying hitting this rule should be hitting the DENY first...the deny rule should match anything but somehow certain items (they usually always match the first rule) are skipping it and hitting the last rule (default)
  • Additionally I ran this command in the CLI against all the IP addresses that have shown as hitting the (default) rule and they all return that they match the first acl in the list...but reporting on the BIG-IP seems to think otherwise... show /security firewall matching-rule source-addr "clientip" source-port any dest-addr "my vs ip" dest-port 443 vlan /Common/MY_VLAN protocol tcp
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account

    The precedence order of the firewall rules first depend on the firewall contexts. Context in AFM literature is the category of the object to which firewall rules apply: Global, Route Domain (RTDOM), Virtual Server (VS) / Self Ip (SIP). Later, within each context, precedence is determined by the order of rules (each context is assigned a policy which has firewall rules in a certain order).