Manual Chapter :
Default Traffic Processing
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Default Traffic Processing
Overview: Default traffic processing
BIG-IP AFM is an add-on module that integrates with
BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.
LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.
AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.
AFM can be configured to run in one of two modes:
Firewall mode | Description |
---|---|
ADC (Accept) | Allow all traffic. Firewall rules must be applied to restrict access. |
Firewall (Reject / Drop) | Allow no traffic. Firewall rules must be applied to allow access. |
You should know the differences between the Accept, Reject, and Drop actions:
Firewall action | Description |
---|---|
Accept | Allow packets that do not match restrictive firewall rules. This is the default mode.
|
Reject | Reject packets that do not match acceptance firewall rules. This mode sends an ICMP destination unreachable packet to the remote client.
|
Drop | Drop packets that do not match acceptance firewall rules. This causes the remote client to continue the connection attempt until the retry period has expired. |
Configure AFM to use ADC mode
This task describes how to configure AFM to use ADC mode. In this mode, all network traffic is allowed.
ADC mode is the default mode.
- On the Main tab, click.
- From theVirtual Server & Self IP Contextslist, select the default actionAcceptfor the self IP and virtual server contexts.
- From theGlobal Contextlist, select the default action for the global rule context.
- SelectDropto silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- SelectRejectto reject all traffic. Rejecting sends a destination unreachable message to the sender.
- ClickUpdate.
Configure AFM to use firewall mode
This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
ADC mode is the default mode.
- On the Main tab, click.
- From theVirtual Server & Self IP Contextslist, select the default action for the self IP and virtual server contexts.
- SelectDropto silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- SelectRejectto reject all traffic. Rejecting sends a destination unreachable message to the sender.
- From theGlobal Contextlist, select the default action for the global rule context.
- SelectDropto silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
- SelectRejectto reject all traffic. Rejecting sends a destination unreachable message to the sender.
- ClickUpdate.