Manual Chapter : About packet filter policies and rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

About packet filter policies and rules

The AFM Packet Filter feature uses packet filter rules to inspect IPv6 packets for a variety of Extension Header (EH) types. When a specific EH match occurs, the IPv6 packet can either be accepted or dropped. Packet filter policies contain one or more packet filter rules and are applied to the BIG-IP system route domain or global contexts.
The AFM IPv6 Packet Filter feature is very similar to the AFM IPv4 Network Firewall feature. Both features control access to resources by applying policies to BIG-IP system access points, or contexts. However, there are a number of important differences that you should be aware of prior to implementing IPv6 Packet Filters:
  • Policies do not have a rule order, the most stringent match is chosen. For example, any packet matching a drop rule, will be dropped.
  • Policies match per packet, rather than per flow, or the initiation of a new connection.
  • Policies can only be applied to the route domain or global contexts.
  • Policies can contain only one Extension Header option type. For example, the Destinations Option EH and option type value 6.