For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mahiraljubouri_'s avatar
Mahiraljubouri_
Icon for Nimbostratus rankNimbostratus
Jan 03, 2017

AFM context

Hi i have a question about the AFM context, when i create a rule in the global or the virtual server context with the action accept the VIP will not be reachable, i have to change the action to acce...
AFM
security
nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Jan 03, 2017

What mode is the AFM configured in, ADC or Firewall mode? ADC mode has implicit rules for existing VSs but in Firewall mode you need to explictly create firewall rules. Normally i'd recommend ADC to start with and then move over to Firewall mode once all rules in place. It sounds like the Global Drop context is dropping your traffic if you have to use Accept Decisively, although i can' t be sure. You may need to enable logging for the Global context by enabling a DB key - 

tmsh modify sys db tm fw.globaldefaultrule log value enable

This might give you more information on why the traffic is being dropped.

As for reasons to use context, then it helps when understanding the firewall requirements on a per application (i.e. per VS) instance. If everything was in the global context you don't have this visbility necessarily.

Hope this helps,

N