Manual Chapter :
Testing Packets with Firewall, IP
Intelligence, and DoS Rules
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Testing Packets with Firewall, IP
Intelligence, and DoS Rules
About packet tracing with the AFM Packet
Tester
The Packet Tester is a troubleshooting tool that allows a user to inject a packet into the
traffic processing of BIG-IP
AFM™ and track the resulting processing by the Network Firewall, DoS
prevention settings, and IP Intelligence. If the packet hits an Network Firewall, DoS Protection,
or IP Intelligence rule, the rule and rule context is displayed. This allows you to troubleshoot
packet issues with certain types of packets, and to check that rules for certain packets are
correctly configured.
Task list
Trace a TCP packet
Before you can trace a TCP packet,
you must have BIG-IP
Advanced Firewall Manager (AFM) licensed on your system.
You can test a TCP packet to find if
it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you
should test a packet that either represents a type of packet that is currently being
dropped (for troubleshooting), or a type of packet you would like to detect with the
Network Firewall, DoS rules, or IP Intelligence rules.
- On the Main tab, click.The Packet Tester screen opens.
- From theProtocollist, selectTCP.
- Select any TCP flags to set in the TCP packet.You can selectSYN,ACK,RST,URG,PUSH,FIN, or a combination.
- For theSourcesetting, specify the sourceIP Addressfrom which the test packet should appear to originate.
- Specify the sourcePortfrom which the test packet should appear to originate.
- From the list select the sourceVLANfrom which the test packet should appear to originate.
- In theTTLfield, specify the time to live for the test packet in seconds.The default setting is255seconds.
- For theDestinationsetting, specify the destinationIP Addressto which the test packet should appear to be sent.
- In theDestinationsetting, specify the destinationPortto which the test packet should appear to be sent.
- In theTrace Optionssetting, specify whether to use the staged network firewall policy for the packet, if one exists.
- In theTrace Optionssetting, specify whether to trigger logging for the packet, based on the packet test results.
- ClickRun Traceto run the packet test.
The packet trace displays the steps
in the packet trace process, and the result of the packet trace.
Trace a UDP packet
Before you can trace a UDP packet,
you must have BIG-IP
Advanced Firewall Manager (AFM) licensed on your system.
You can test a UDP packet to find if
it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you
should test a packet that either represents a type of packet that is currently being
dropped (for troubleshooting), or a type of packet you would like to detect with the
Network Firewall, DoS rules, or IP Intelligence rules.
- On the Main tab, click.The Packet Tester screen opens.
- From theProtocollist, selectUDP.
- For theSourcesetting, specify the sourceIP Addressfrom which the test packet should appear to originate.
- Specify the sourcePortfrom which the test packet should appear to originate.
- From the list select the sourceVLANfrom which the test packet should appear to originate.
- In theTTLfield, specify the time to live for the test packet in seconds.The default setting is255seconds.
- For theDestinationsetting, specify the destinationIP Addressto which the test packet should appear to be sent.
- In theDestinationsetting, specify the destinationPortto which the test packet should appear to be sent.
- In theTrace Optionssetting, specify whether to use the staged network firewall policy for the packet, if one exists.
- In theTrace Optionssetting, specify whether to trigger logging for the packet, based on the packet test results.
- ClickRun Traceto run the packet test.
The packet trace displays the steps
in the packet trace process, and the result of the packet trace.
Trace an SCTP packet
Before you can trace a UDP packet,
you must have BIG-IP
Advanced Firewall Manager (AFM) licensed on your system.
You can test an SCTP packet to find
if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test,
you should test a packet that either represents a type of packet that is currently being
dropped (for troubleshooting), or a type of packet you would like to detect with the
Network Firewall, DoS rules, or IP Intelligence rules.
- On the Main tab, click.The Packet Tester screen opens.
- From theProtocollist, selectSCTP.
- For theSourcesetting, specify the sourceIP Addressfrom which the test packet should appear to originate.
- Specify the sourcePortfrom which the test packet should appear to originate.
- From the list select the sourceVLANfrom which the test packet should appear to originate.
- In theTTLfield, specify the time to live for the test packet in seconds.The default setting is255seconds.
- For theDestinationsetting, specify the destinationIP Addressto which the test packet should appear to be sent.
- In theDestinationsetting, specify the destinationPortto which the test packet should appear to be sent.
- In theTrace Optionssetting, specify whether to use the staged network firewall policy for the packet, if one exists.
- In theTrace Optionssetting, specify whether to trigger logging for the packet, based on the packet test results.
- ClickRun Traceto run the packet test.
The packet trace displays the steps
in the packet trace process, and the result of the packet trace.
Trace an ICMP packet
Before you can trace a UDP packet,
you must have BIG-IP
Advanced Firewall Manager (AFM) licensed on your system.
You can test an ICMP packet to find
if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test,
you should test a packet that either represents a type of packet that is currently being
dropped (for troubleshooting), or a type of packet you would like to detect with the
Network Firewall, DoS rules, or IP Intelligence rules.
- On the Main tab, click.The Packet Tester screen opens.
- From theProtocollist, selectICMP.
- From theProtocollist, selectSCTP.
- For theSourcesetting, specify the sourceIP Addressfrom which the test packet should appear to originate.
- From the list select the sourceVLANfrom which the test packet should appear to originate.
- In theTTLfield, specify the time to live for the test packet in seconds.The default setting is255seconds.
- For theDestinationsetting, specify the destinationIP Addressto which the test packet should appear to be sent.
- In theDestinationsetting, specify the destinationPortto which the test packet should appear to be sent.
- In theTrace Optionssetting, specify whether to use the staged network firewall policy for the packet, if one exists.
- In theTrace Optionssetting, specify whether to trigger logging for the packet, based on the packet test results.
- ClickRun Traceto run the packet test.
The packet trace displays the steps
in the packet trace process, and the result of the packet trace.
Packet trace results
These tables show possible results of an AFM packet trace.
Device DoS results
Device DoS result |
Description |
---|---|
Nominal (Green) |
The packet matches a vector, but is not categorized as an attack. |
Whitelist (Green) |
The packet matches the DoS whitelist and is allowed. |
Anomaly (Yellow) |
The packet matches an anomaly condition. |
Attack (Red) |
The packet matches a configured attack condition. |
Device IP Intelligence results
Device IP Intelligence result |
Description |
---|---|
No match (Green) |
The packet does not match an IP Intelligence rule. |
Match (Green or Red) |
The packet matches an IP Intelligence rule and is either allowed or
denied. |
Whitelist (Green) |
The packet matches the IP Intelligence whitelist and is allowed.. |
No Policy (Gray) |
There is no configured IP intelligence policy for the packet |
Device Rules
Device Rules result |
Description |
---|---|
Match Allow (Green) |
The packet matches a global firewall rule and is allowed. |
Match Reject (Red) |
The packet matches a global firewall rule and is rejected. |
Match Drop (Red) |
The packet matches a global firewall rule and is dropped. |
Match Decisive (Green) |
The packet matches a global firewall rule and is allowed decisively. |
No Policy (Gray) |
The packet does not match a global firewall rule. |
Route Domain IP Intelligence results
Route Domain IP Intelligence result |
Description |
---|---|
No match (Green) |
The packet does not match a route domain Intelligence rule. |
Match (Green or Red) |
The packet matches a route domain Intelligence rule and is either allowed or
denied. |
Whitelist (Green) |
The packet matches the route domain Intelligence whitelist and is
allowed. |
No Policy (Gray) |
There is no configured IP intelligence policy for the packet |
Route Domain Rules results
Route Domain Rules result |
Description |
---|---|
Match Allow (Green) |
The packet matches a route domain firewall rule and is allowed. |
Match Reject (Red) |
The packet matches a route domain firewall rule and is rejected. |
Match Drop (Red) |
The packet matches a route domain firewall rule and is dropped. |
Match Decisive (Green) |
The packet matches a route domain firewall rule and is allowed
decisively. |
No Policy (Gray) |
The packet does not match a route domain firewall rule. |
Virtual Server DoS results
Virtual Server DoS result |
Description |
---|---|
Nominal (Green) |
The packet matches a virtual server DoS vector, but is not categorized as an
attack. |
Whitelist (Green) |
The packet matches the virtual server DoS whitelist and is allowed. |
Anomaly (Yellow) |
The packet matches a virtual server DoS anomaly condition. |
Attack (Red) |
The packet matches a configured virtual server DoS attack condition. |
Prior Whitelist (Gray) |
The packet matches a prior whitelist and is allowed. |
No Policy (Gray) |
No virtual server DoS rule is configured that applies to this packet. |
Virtual Server IP Intelligence results
Virtual Server IP Intelligence result |
Description |
---|---|
No match (Green) |
The packet does not match a virtual server IP Intelligence rule. |
Match (Green or Red) |
The packet matches a virtual server IP Intelligence rule and is either allowed
or denied. |
Whitelist (Green) |
The packet matches the virtual server IP Intelligence whitelist and is
allowed. |
No Policy (Gray) |
No virtual server IP intelligence policy is configured that applies to this
packet. |
Virtual Server Rules results
Virtual Server Rules result |
Description |
---|---|
Match Allow (Green) |
The packet matches a virtual server firewall rule and is allowed. |
Match Reject (Red) |
The packet matches a virtual server firewall rule and is rejected. |
Match Drop (Red) |
The packet matches a virtual server firewall rule and is dropped. |
Match Decisive (Green) |
The packet matches a virtual server firewall rule and is allowed
decisively. |
No Policy (Gray) |
The packet does not match a virtual server firewall rule. |
Default Rule results
Default Rule result |
Description |
---|---|
Allow (Green) |
The packet does not match any prior rules, and the default rule is allow, so
the packet is allowed. |
Reject (Red) |
The packet does not match any prior rules, and the default rule is reject, so
the packet is rejected. |
Drop (Red) |
The packet does not match any prior rules, and the default rule is drop, so the
packet is dropped. |