Applies To:
Show VersionsBIG-IP AFM
- 14.1.2, 14.1.0
Testing Packets with Firewall, IP Intelligence, and DoS Rules
About packet tracing with the AFM Packet Tester
The Packet Tester is a troubleshooting tool that allows a user to inject a packet into the traffic processing of BIG-IP® AFM™ and track the resulting processing by the Network Firewall, DoS prevention settings, and IP Intelligence. If the packet hits an Network Firewall, DoS Protection, or IP Intelligence rule, the rule and rule context is displayed. This allows you to troubleshoot packet issues with certain types of packets, and to check that rules for certain packets are correctly configured.
Task list
Tracing a TCP packet
Tracing a UDP packet
Tracing an SCTP packet
Tracing an ICMP packet
Packet trace results
These tables show possible results of an AFM packet trace.
Device DoS results
Device DoS result | Description |
---|---|
Nominal (Green) | The packet matches a vector, but is not categorized as an attack. |
Whitelist (Green) | The packet matches the DoS whitelist and is allowed. |
Anomaly (Yellow) | The packet matches an anomaly condition. |
Attack (Red) | The packet matches a configured attack condition. |
Device IP Intelligence results
Device IP Intelligence result | Description |
---|---|
No match (Green) | The packet does not match an IP Intelligence rule. |
Match (Green or Red) | The packet matches an IP Intelligence rule and is either allowed or denied. |
Whitelist (Green) | The packet matches the IP Intelligence whitelist and is allowed.. |
No Policy (Gray) | There is no configured IP intelligence policy for the packet |
Device Rules
Device Rules result | Description |
---|---|
Match Allow (Green) | The packet matches a global firewall rule and is allowed. |
Match Reject (Red) | The packet matches a global firewall rule and is rejected. |
Match Drop (Red) | The packet matches a global firewall rule and is dropped. |
Match Decisive (Green) | The packet matches a global firewall rule and is allowed decisively. |
No Policy (Gray) | The packet does not match a global firewall rule. |
Route Domain IP Intelligence results
Route Domain IP Intelligence result | Description |
---|---|
No match (Green) | The packet does not match a route domain Intelligence rule. |
Match (Green or Red) | The packet matches a route domain Intelligence rule and is either allowed or denied. |
Whitelist (Green) | The packet matches the route domain Intelligence whitelist and is allowed. |
No Policy (Gray) | There is no configured IP intelligence policy for the packet |
Route Domain Rules results
Route Domain Rules result | Description |
---|---|
Match Allow (Green) | The packet matches a route domain firewall rule and is allowed. |
Match Reject (Red) | The packet matches a route domain firewall rule and is rejected. |
Match Drop (Red) | The packet matches a route domain firewall rule and is dropped. |
Match Decisive (Green) | The packet matches a route domain firewall rule and is allowed decisively. |
No Policy (Gray) | The packet does not match a route domain firewall rule. |
Virtual Server DoS results
Virtual Server DoS result | Description |
---|---|
Nominal (Green) | The packet matches a virtual server DoS vector, but is not categorized as an attack. |
Whitelist (Green) | The packet matches the virtual server DoS whitelist and is allowed. |
Anomaly (Yellow) | The packet matches a virtual server DoS anomaly condition. |
Attack (Red) | The packet matches a configured virtual server DoS attack condition. |
Prior Whitelist (Gray) | The packet matches a prior whitelist and is allowed. |
No Policy (Gray) | No virtual server DoS rule is configured that applies to this packet. |
Virtual Server IP Intelligence results
Virtual Server IP Intelligence result | Description |
---|---|
No match (Green) | The packet does not match a virtual server IP Intelligence rule. |
Match (Green or Red) | The packet matches a virtual server IP Intelligence rule and is either allowed or denied. |
Whitelist (Green) | The packet matches the virtual server IP Intelligence whitelist and is allowed. |
No Policy (Gray) | No virtual server IP intelligence policy is configured that applies to this packet. |
Virtual Server Rules results
Virtual Server Rules result | Description |
---|---|
Match Allow (Green) | The packet matches a virtual server firewall rule and is allowed. |
Match Reject (Red) | The packet matches a virtual server firewall rule and is rejected. |
Match Drop (Red) | The packet matches a virtual server firewall rule and is dropped. |
Match Decisive (Green) | The packet matches a virtual server firewall rule and is allowed decisively. |
No Policy (Gray) | The packet does not match a virtual server firewall rule. |
Default Rule results
Default Rule result | Description |
---|---|
Allow (Green) | The packet does not match any prior rules, and the default rule is allow, so the packet is allowed. |
Reject (Red) | The packet does not match any prior rules, and the default rule is reject, so the packet is rejected. |
Drop (Red) | The packet does not match any prior rules, and the default rule is drop, so the packet is dropped. |