Forum Discussion
NimbostratusAFM context self-ip
hi, I want to drop traffic from self-ip to outside. However, although I have added rule which is;
source IP: my_external_IP dest IP: any action drop, I was able to ping any IP and telnet any IP.
What is the problem.
3 Replies
It's difficult to answer this question without knowing the AFM configuration. How's your firewall configured? Please see https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-6-0/1.htmlunique_1599340411
natheCirrocumulus
In regards icmp there is the following in the AFM Implementations guide: Configuring BIG-IP Network Firewall Policies
Important: ICMP is handled by BIG-IP at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create an inline rule for ICMP or ICMPv6 on a Self IP context. You can apply a rule list to a Self IP that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the global or route domain context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP itself.
Not sure about Telnet but it may be the same issue. Try adding a rule at the global context. If not then you may want to enable logging to give you visibility on what's happening.
Hope this helps,
N
TayF5unThank Tikka, I solved the problem, AFM doesn't affect traffic generated from BIG-IP
