Forum Discussion

JBonnet's avatar
Icon for Nimbostratus rankNimbostratus
Jan 31, 2023

AFM Default drop counter

I would like to know the purpose of the default drop/reject rule under global context, i.e. what circumstance is this incremented?

Creating policies within global/virtual or self IP context do not seem to affect the counter (any accept/deny counters are all incremented within those polices).

Reset stats does not affect the counter value (example below 423 remains the same).

Thankyou in advance.

1 Reply

  • The manual says: If a packet does not match any rule in any context on the firewall, the Global Reject or Global Drop rule drops the packet (Global Drop) or drops the packet and sends the appropriate reject message (Global Reject) even when the system is in a default allow configuration.

    If the counter for Default rule is not incrementing but they are incrementing for Virtual Server or the Self IP, that means there are more specific matches and not hitting the default rule on Global context. Packets dropped on Virtual Server or the Self IP context will not have an affect on the Global counter.