Manual Chapter : Default Traffic Processing

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Default Traffic Processing

Overview: Default traffic processing

BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
AFM can be configured to run in one of two modes:
Firewall mode
Description
ADC (Accept)
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
You should know the differences between the Accept, Reject, and Drop actions:
Firewall action
Description
Accept
Allow packets that do not match restrictive firewall rules. This is the default mode.
Reject
Reject packets that do not match acceptance firewall rules. This mode sends an ICMP destination unreachable packet to the remote client.
Drop
Drop packets that do not match acceptance firewall rules. This causes the remote client to continue the connection attempt until the retry period has expired.

Configure AFM to use ADC mode

This task describes how to configure AFM to use ADC mode. In this mode, all network traffic is allowed.
ADC mode is the default mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
  2. From the
    Virtual Server & Self IP Contexts
    list, select the default action
    Accept
    for the self IP and virtual server contexts.
  3. From the
    Global Context
    list, select the default action for the global rule context.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click
    Update
    .

Configure AFM to use firewall mode

This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
ADC mode is the default mode.
  1. On the Main tab, click
    Security
    Options
    Network Firewall
    .
  2. From the
    Virtual Server & Self IP Contexts
    list, select the default action for the self IP and virtual server contexts.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  3. From the
    Global Context
    list, select the default action for the global rule context.
    • Select
      Drop
      to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select
      Reject
      to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click
    Update
    .