AFM: Is the Network Firewall Policy a higher precedence than the IP Intelligence Policy?

Question

Hi. I'm trying to figure out whether the Network Firewall policy has a higher precedence than IP Intelligence Policy. &nbsp;
My goal is to put a general IP Intelligence policy on a virtual server, but then establish a whitelist of a few IPs using a regular Network Firewall policy that explicitly allows those IPs. But whether that strategy works or not depends on what the precedence of these two policy types are.&nbsp;

stephan_mierau · Answer

I would say it depends where the items are located. The AFM goes through the policy from Global -> Route Domain -> Virtual Server. If you put your IP whitelist on the Route Domain with accept decisively and the IPI policy to the virtual server, it should work

stanislas_piro2 · Answer

Hi,&nbsp;
you should look at this drawing:&nbsp;
https://devcentral.f5.com/Portals/0/Users/011/11/11/AFM_Rules_Processing_Logic_2013.03.05.pdf&nbsp;

Forum Discussion

AFM: Is the Network Firewall Policy a higher precedence than the IP Intelligence Policy?

2 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

The Power of IP Intelligence (IPI)

Intelligent Proxy Steering - Office365

Enriching AFM with public domain Threat Intelligence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS