Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
About AFM Network Firewall Active Rules
About Active AFM Network Firewall Rules
You can use the AFM Network Firewall Active Rules page to view deployed network firewall rule or rule list statistics. Before viewing the Active Rules page, you should be familiar with the following Context Filters:
- Policy Type
- Select Enforced to view enforced rules that apply to traffic traversing the AFM system. Select Staged to view staged rules, allowing you to view the rule's match statics, evaluating the rule's affect on traffic.
- Context
- Specifies which rule context appears in the active rules list. Select a context to apply it. The default is Global. Global list the rules that apply to all traffic traversing the firewall. Route Domain lists the rules that apply to a selected route domain only. Virtual Server lists the rules that apply to the selected virtual server only. Self IP lists the rules that apply to the selected self IP address of the BIG-IP device. Management Port lists the rules that apply to the BIG-IP device management port.
Once you choose a Context Filter, you can view the following rules statistics:
- ID
- The order of the network firewall rule.
- Name
- The name of the network firewall rule.
- State
- The state of the network firewall rule: Enabled, Disabled, Scheduled, Enabled (Redundant) or Enabled (Conflict)
- Protocol
- The protocol to which the rule applies.
- Source
- The packet source to which the rule applies.
- Destination
- The packet destination to which the rule applies.
- Action
- Specifies the following actions: Accept, Drop or Reject,
- Logging
- Specifies whether logging is enabled or disabled.
- Count
- The total number of time the rule has matched a packet.
- Latest Match
- Specifies the most recent match to the rule. Used to determine how often a rule is being used.
Viewing AFM Network Firewall Active Rules
About redundant, conflicting and stale rules
When you create rules on the network firewall, it is possible that a rule can either overlap or conflict with an existing rule.
- Redundant rule
- A firewall rule that completely overlaps with another rule, including the same firewall action. In the case of a redundant rule, the rule can be removed with no net change in packet processing.
- Conflicting rule
- A firewall rule that completely overlaps with another rule, but the rules have different firewall actions. A rule might be called conflicting even if the result of each rule is the same. For example, a rule that applies to a specific IP address is considered in conflict with another rule that applies to the same IP address, if one has an Accept action and the other has an action of Accept Decisively, even though the two rules accept packets.
- Stale rule
- A firewall rule that is infrequently or never used. A stale rule is one that has an extremely low or 0 hit count.
On a rule list page, redundant or conflicting rules are indicated in the State column with either (Redundant) or (Conflicting).