F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP AFM: Network Firewall Policies and Implementations
  3. Testing Packets with Firewall, IP Intelligence, and DoS Rules
Manual Chapter : Testing Packets with Firewall, IP Intelligence, and DoS Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Testing Packets with Firewall, IP Intelligence, and DoS Rules

About packet tracing with the AFM Packet Tester

The Packet Tester is a troubleshooting tool that allows a user to inject a packet into the traffic processing of BIG-IP®AFM and track the resulting processing by the Network Firewall, DoS prevention settings, and IP Intelligence. If the packet hits an Network Firewall, DoS Protection, or IP Intelligence rule, the rule and rule context is displayed. This allows you to troubleshoot packet issues with certain types of packets, and to check that rules for certain packets are correctly configured.

Task list

Tracing a TCP packet

Before you can trace a TCP packet, you must have BIG-IP Advanced Firewall Manager (AFM) licensed on your system.
You can test a TCP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click
    Network
    Network Security
    Packet Tester
    .
    The Packet Tester screen opens.
  2. From the
    Protocol
     list, select
    TCP
    .
  3. Select any TCP flags to set in the TCP packet.
    You can select
    SYN
    ,
    ACK
    ,
    RST
    ,
    URG
    ,
    PUSH
    ,
    FIN
    , or a combination.
  4. For the
    Source
     setting, specify the source
    IP Address
     from which the test packet should appear to originate.
  5. Specify the source
    Port
     from which the test packet should appear to originate.
  6. From the list select the source
    VLAN
     from which the test packet should appear to originate.
  7. In the
    TTL
     field, specify the time to live for the test packet in seconds.
    The default setting is
    255
     seconds.
  8. For the
    Destination
     setting, specify the destination
    IP Address
     to which the test packet should appear to be sent.
  9. In the
    Destination
     setting, specify the destination
    Port
     to which the test packet should appear to be sent.
  10. In the
    Trace Options
     setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  11. In the
    Trace Options
     setting, specify whether to trigger logging for the packet, based on the packet test results.
  12. Click
    Run Trace
     to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing a UDP packet

Before you can trace a UDP packet, you must have BIG-IP Advanced Firewall Manager (AFM) licensed on your system.
You can test a UDP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click
    Network
    Network Security
    Packet Tester
    .
    The Packet Tester screen opens.
  2. From the
    Protocol
     list, select
    UDP
    .
  3. For the
    Source
     setting, specify the source
    IP Address
     from which the test packet should appear to originate.
  4. Specify the source
    Port
     from which the test packet should appear to originate.
  5. From the list select the source
    VLAN
     from which the test packet should appear to originate.
  6. In the
    TTL
     field, specify the time to live for the test packet in seconds.
    The default setting is
    255
     seconds.
  7. For the
    Destination
     setting, specify the destination
    IP Address
     to which the test packet should appear to be sent.
  8. In the
    Destination
     setting, specify the destination
    Port
     to which the test packet should appear to be sent.
  9. In the
    Trace Options
     setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the
    Trace Options
     setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click
    Run Trace
     to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing an SCTP packet

Before you can trace a UDP packet, you must have BIG-IP Advanced Firewall Manager (AFM) licensed on your system.
You can test an SCTP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click
    Network
    Network Security
    Packet Tester
    .
    The Packet Tester screen opens.
  2. From the
    Protocol
     list, select
    SCTP
    .
  3. For the
    Source
     setting, specify the source
    IP Address
     from which the test packet should appear to originate.
  4. Specify the source
    Port
     from which the test packet should appear to originate.
  5. From the list select the source
    VLAN
     from which the test packet should appear to originate.
  6. In the
    TTL
     field, specify the time to live for the test packet in seconds.
    The default setting is
    255
     seconds.
  7. For the
    Destination
     setting, specify the destination
    IP Address
     to which the test packet should appear to be sent.
  8. In the
    Destination
     setting, specify the destination
    Port
     to which the test packet should appear to be sent.
  9. In the
    Trace Options
     setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the
    Trace Options
     setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click
    Run Trace
     to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing an ICMP packet

Before you can trace a UDP packet, you must have BIG-IP Advanced Firewall Manager (AFM) licensed on your system.
You can test an ICMP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click
    Network
    Network Security
    Packet Tester
    .
    The Packet Tester screen opens.
  2. From the
    Protocol
     list, select
    ICMP
    .
  3. From the
    Protocol
     list, select
    SCTP
    .
  4. For the
    Source
     setting, specify the source
    IP Address
     from which the test packet should appear to originate.
  5. From the list select the source
    VLAN
     from which the test packet should appear to originate.
  6. In the
    TTL
     field, specify the time to live for the test packet in seconds.
    The default setting is
    255
     seconds.
  7. For the
    Destination
     setting, specify the destination
    IP Address
     to which the test packet should appear to be sent.
  8. In the
    Destination
     setting, specify the destination
    Port
     to which the test packet should appear to be sent.
  9. In the
    Trace Options
     setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the
    Trace Options
     setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click
    Run Trace
     to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Packet trace results

These tables show possible results of an AFM packet trace.

Device DoS results

Device DoS result
Description
Nominal (Green)
The packet matches a vector, but is not categorized as an attack.
Whitelist (Green)
The packet matches the DoS whitelist and is allowed.
Anomaly (Yellow)
The packet matches an anomaly condition.
Attack (Red)
The packet matches a configured attack condition.

Device IP Intelligence results

Device IP Intelligence result
Description
No match (Green)
The packet does not match an IP Intelligence rule.
Match (Green or Red)
The packet matches an IP Intelligence rule and is either allowed or denied.
Whitelist (Green)
The packet matches the IP Intelligence whitelist and is allowed..
No Policy (Gray)
There is no configured IP intelligence policy for the packet

Device Rules

Device Rules result
Description
Match Allow (Green)
The packet matches a global firewall rule and is allowed.
Match Reject (Red)
The packet matches a global firewall rule and is rejected.
Match Drop (Red)
The packet matches a global firewall rule and is dropped.
Match Decisive (Green)
The packet matches a global firewall rule and is allowed decisively.
No Policy (Gray)
The packet does not match a global firewall rule.

Route Domain IP Intelligence results

Route Domain IP Intelligence result
Description
No match (Green)
The packet does not match a route domain Intelligence rule.
Match (Green or Red)
The packet matches a route domain Intelligence rule and is either allowed or denied.
Whitelist (Green)
The packet matches the route domain Intelligence whitelist and is allowed.
No Policy (Gray)
There is no configured IP intelligence policy for the packet

Route Domain Rules results

Route Domain Rules result
Description
Match Allow (Green)
The packet matches a route domain firewall rule and is allowed.
Match Reject (Red)
The packet matches a route domain firewall rule and is rejected.
Match Drop (Red)
The packet matches a route domain firewall rule and is dropped.
Match Decisive (Green)
The packet matches a route domain firewall rule and is allowed decisively.
No Policy (Gray)
The packet does not match a route domain firewall rule.

Virtual Server DoS results

Virtual Server DoS result
Description
Nominal (Green)
The packet matches a virtual server DoS vector, but is not categorized as an attack.
Whitelist (Green)
The packet matches the virtual server DoS whitelist and is allowed.
Anomaly (Yellow)
The packet matches a virtual server DoS anomaly condition.
Attack (Red)
The packet matches a configured virtual server DoS attack condition.
Prior Whitelist (Gray)
The packet matches a prior whitelist and is allowed.
No Policy (Gray)
No virtual server DoS rule is configured that applies to this packet.

Virtual Server IP Intelligence results

Virtual Server IP Intelligence result
Description
No match (Green)
The packet does not match a virtual server IP Intelligence rule.
Match (Green or Red)
The packet matches a virtual server IP Intelligence rule and is either allowed or denied.
Whitelist (Green)
The packet matches the virtual server IP Intelligence whitelist and is allowed.
No Policy (Gray)
No virtual server IP intelligence policy is configured that applies to this packet.

Virtual Server Rules results

Virtual Server Rules result
Description
Match Allow (Green)
The packet matches a virtual server firewall rule and is allowed.
Match Reject (Red)
The packet matches a virtual server firewall rule and is rejected.
Match Drop (Red)
The packet matches a virtual server firewall rule and is dropped.
Match Decisive (Green)
The packet matches a virtual server firewall rule and is allowed decisively.
No Policy (Gray)
The packet does not match a virtual server firewall rule.

Default Rule results

Default Rule result
Description
Allow (Green)
The packet does not match any prior rules, and the default rule is allow, so the packet is allowed.
Reject (Red)
The packet does not match any prior rules, and the default rule is reject, so the packet is rejected.
Drop (Red)
The packet does not match any prior rules, and the default rule is drop, so the packet is dropped.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information