AFM Rule Evaluation

Question

It seems in the back of my mind I am forgetting why this happens but I have an ACL similar to this, in this order:&nbsp;
1 - Allow tcp/443 from particular sources (some address lists, geo-ip etc) (action accept)
2 - DENY ALL Protocols from any source going anywhere (action drop)
3 - (Default)&nbsp;
Somehow I have things hitting the default rule...it seems to me like there was a reason I would see this but I can't think of why now...How is anything getting down to the (Default) if the DENY ALL rule is blocking every portovol, every port, every address, etc?&nbsp;
The default mode of this AFM is ADC so the default rule is allow...if we change to AFM mode is whatever is somehow getting past these denies going to be blocked?&nbsp;

chris_grant · Answer

The short answer is that it depends.  I am assuming that you are applying these as global rules.  Have you enabled logging to see what is being logged?  Try taking a capture on the AFM and make sure that you have the rule configured for the actual traffic the box is seeing.   If you are hitting default, I would expect it to start being blocked if you switch to firewall mode.

jwhitespro_1928 · Answer

This is for a rule on a virtual server.  I have logging enabled and the traffic the log is saying hitting this rule should be hitting the DENY first...the deny rule should match anything but somehow certain items (they usually always match the first rule) are skipping it and hitting the last rule (default)

jwhitespro_1928 · Answer

Additionally I ran this command in the CLI against all the IP addresses that have shown as hitting the (default) rule and they all return that they match the first acl in the list...but reporting on the BIG-IP seems to think otherwise...

show /security firewall matching-rule source-addr "clientip" source-port any dest-addr "my vs ip" dest-port 443 vlan /Common/MY_VLAN protocol tcp

tikka_nagi_1315 · Answer

The precedence order of the firewall rules first depend on the firewall contexts. Context in AFM literature is the category of the object to which firewall rules apply: Global, Route Domain (RTDOM), Virtual Server (VS) / Self Ip (SIP). Later, within each context, precedence is determined by the order of rules (each context is assigned a policy which has firewall rules in a certain order).

Forum Discussion

AFM Rule Evaluation

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

can you help with getting a BigIP virtual edition serial key

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

F5 Distributed Cloud Network Firewall Rule Evaluation and Packet Flow

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)

Logging all AFM Rules

Configuring BIG-IP AFM firewall policies and rules with Ansible

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS