Manual Chapter : Default Traffic Processing

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Default Traffic Processing

Overview: Default traffic processing

BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be
default deny
. This means that when no traffic processing objects are configured, for example a virtual server and a pool, the BIG-IP system will not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be
default allow
, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
AFM can be configured to run in one of the following modes:
ADC (Accept)
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
It is important to understand the differences between the Accept, Reject and Drop actions:
Accept
Allow packets that
do not
match a
restrictive
firewall rule. This is the default mode.
Reject
Reject packets that
do not
match an
acceptance
firewall rule. This mode sends an ICMP destination unreachable packet to the remote client.
Drop
Drop packets that
do not
match an
acceptance
firewall rule. This mode will cause the remote client to continue the connection attempt until the retry period has expired.

Configure AFM to use ADC mode

This task describes how to configure AFM to use ADC mode. In this mode, all network traffic is allowed.
ADC mode is the default mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
  2. From the
    Virtual Server & Self IP Contexts
    list, select the default action
    Accept
    for the self IP and virtual server contexts.
  3. From the
    Global Context
    list, select the default action for the global rule context.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click
    Update
    .

Configure AFM to use firewall mode

This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
ADC mode is the default mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
  2. From the
    Virtual Server & Self IP Contexts
    list, select the default action for the self IP and virtual server contexts.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  3. From the
    Global Context
    list, select the default action for the global rule context.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click
    Update
    .