Manual Chapter : Default Traffic Processing

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Default Traffic Processing

Overview: Default traffic processing

BIG-IP AFM is an add-on module that integrates with BIG-IP Local Traffic Manager (LTM). When the AFM and LTM modules are provisioned, it is important to understand how the baseline or default configuration affects traffic processing.

LTM is considered to be default deny. This means that when no traffic processing objects are configured, for example a virtual server and a pool, the BIG-IP system will not process any network traffic. You need to configure at least one traffic processing object on the BIG-IP system to begin processing traffic.

AFM Network Firewall is considered to be default allow, also known as Application Delivery Controller (ADC) mode. This mode allows access to all traffic processing objects and requires one or more firewall rules to block access.

AFM can be configured to run in one of the following modes:
ADC (Accept)
Allow all traffic. Firewall rules must be applied to restrict access.
Firewall (Reject / Drop)
Allow no traffic. Firewall rules must be applied to allow access.
It is important to understand the differences between the Accept, Reject and Drop actions:
Accept
Allow packets that do not match a restrictive firewall rule. This is the default mode.
Reject
Reject packets that do not match an acceptance firewall rule. This mode sends an ICMP destination unreachable packet to the remote client.
Drop
Drop packets that do not match an acceptance firewall rule. This mode will cause the remote client to continue the connection attempt until the retry period has expired.

Configure AFM to use ADC mode

This task describes how to configure AFM to use ADC mode. In this mode, all network traffic is allowed.
Note: ADC mode is the default mode.
  1. On the Main tab, click Security > Options > Network Firewall .
  2. From the Virtual Server & Self IP Contexts list, select the default action Accept for the self IP and virtual server contexts.
  3. From the Global Context list, select the default action for the global rule context.
    • Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click Update.

Configure AFM to use firewall mode

This task describes how to configure AFM to use firewall mode. In this mode, all network traffic is either dropped or rejected.
Note: ADC mode is the default mode.
  1. On the Main tab, click Security > Options > Network Firewall .
  2. From the Virtual Server & Self IP Contexts list, select the default action for the self IP and virtual server contexts.
    • Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  3. From the Global Context list, select the default action for the global rule context.
    • Select Drop to silently drop all traffic. Dropping causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject all traffic. Rejecting sends a destination unreachable message to the sender.
  4. Click Update.