Forum Discussion
CirrusF5 AFM (13.1.1) Using FQDN in rules - troubleshooting
F5 AFM (13.1.1) Using FQDN in rules
I've configured an AFM rule to use FQDN in the destination address field, this works well in my lab environment but fails on the customer site. Both F5s are configured with the same setting to allow this feature to work , e.g. Network ›› DNS Resolvers : DNS Resolver List Security ›› Options : Network Firewall - FQDN Resolver
all DNS resolution on the BigIP cli works, can anyone tell me how I can test or troubleshoot the DNS resolver feature for AFM ?
Thanks for the information, I actullay got a fix from F5 support. As follows;
1- Navigate to 'Network ›› DNS Resolvers : DNS Resolver List' and click on your DNS resolver 'dns-resolver'
2- Under Forward zones, click 'Add' and for the 'Name' Enter the dot sign (.), for the address add one of your above DNS servers addresses.
Have you tried checking the AFM DNS cache to see if the FQDN being resolved matches what you are expecting?
tmsh show security firewall fqdn-info fqdnDoes the FQDN in question resolve to a single IP or multiple IPs?
You can also try enabling FQDN debugging temporarily:
tmsh modify sys db log.fw_fqdn.level value debugTo turn off FQDN debugging:
tmsh modify sys db log.fw_fqdn.level reset-to-default
Donald_J_RossThanks for the information, I actullay got a fix from F5 support. As follows;
1- Navigate to 'Network ›› DNS Resolvers : DNS Resolver List' and click on your DNS resolver 'dns-resolver'
2- Under Forward zones, click 'Add' and for the 'Name' Enter the dot sign (.), for the address add one of your above DNS servers addresses.
