Forum Discussion

Cirrus

Jun 11, 2021

Solved

Packet Processing Order

Hi All, I have F5 VM hosted in Azure which is having modules like LTM, DNS, Adv WAF and AFM. Need to know how packet will be processed in this case multiple modules are enabled. Note: In DNS m...

Nikoolayy1
Jun 13, 2021
1. Packet Filter
2. AFM
3. FLOW_INIT (An iRule Event i.e. when FLOW_INIT)
4. LTM
5. APM
6. ASM / Adv WAF

The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level.

The DNS/GTM module is seperate thing and only if you use the AFM DNS protection (DNS firewall and IPS) then the AFM will be infront of the DNS module (Protocol Security > Security Profiles) or the AFM IPS that may have signatures for DNS attacks.

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-system-dos-protection-and-protocol-firewall-implementations-14-1-0/11.html

https://support.f5.com/csp/article/K44080215

How come only DNS caching is configured? If you have not enabled "GSLB" under the DNS profile for the used listener then the Wide IP will not be used.

https://support.f5.com/csp/article/K21520582

https://support.f5.com/csp/article/K14510

Also the DNS Cache if it of transperant type a pool of DNS servers needs to be attached under the DNS Listener/VIP and also "Unhandled Query Actions" needs to be set to Allow (Also check the Wide IP load balancing is not having a load balancing method that stops the sending of data to the other DNS objects if there is no Wide IP match).

https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/7.html

Don't ask so many questions at once under a single post, so for the other " refernce for LTM" better open another qustion but first I suggest try to find the answer on your own as F5 has really good documentation.

Nikoolayy1

MVP

Jun 13, 2021

1. Packet Filter

2. AFM

3. FLOW_INIT (An iRule Event i.e. when FLOW_INIT)

4. LTM

5. APM

6. ASM / Adv WAF

The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level.

The DNS/GTM module is seperate thing and only if you use the AFM DNS protection (DNS firewall and IPS) then the AFM will be infront of the DNS module (Protocol Security > Security Profiles) or the AFM IPS that may have signatures for DNS attacks.

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-system-dos-protection-and-protocol-firewall-implementations-14-1-0/11.html

https://support.f5.com/csp/article/K44080215

How come only DNS caching is configured? If you have not enabled "GSLB" under the DNS profile for the used listener then the Wide IP will not be used.

https://support.f5.com/csp/article/K21520582

https://support.f5.com/csp/article/K14510

Also the DNS Cache if it of transperant type a pool of DNS servers needs to be attached under the DNS Listener/VIP and also "Unhandled Query Actions" needs to be set to Allow (Also check the Wide IP load balancing is not having a load balancing method that stops the sending of data to the other DNS objects if there is no Wide IP match).

https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/7.html

Don't ask so many questions at once under a single post, so for the other " refernce for LTM" better open another qustion but first I suggest try to find the answer on your own as F5 has really good documentation.

Sushant
Altostratus
Jun 14, 2021
Hi Nikoolayy1 " The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level."

Is there any document about what are the things that it can block ? It must probably be for signature based ? If you have any links regarding it please share

Thanks !
- Nikoolayy1
  MVP
  Jun 14, 2021
  Sorry I added something that a little more related to the ip inteligence as this is even before the AFM (but not before the packet filters as the packet filters are always first) in the order of packet processing and it is for DDOS at layer 7 (asm) or layer 3/4(afm). It means that when the ASM/AFM detect ddos they tell the Ip inteligence to block the source IP. It is called shun list for the ASM and Bad Actor Detection for the AFM.
  
  https://support.f5.com/csp/article/K49869231
  
  https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/4.html
  
  https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-13-0-0/7.html
  
  The ASM bad actor is another feature for auto signature to be generated for bad traffic as the DDOS protection at layer 7 is before the ASM policy evaluation (for the AFM it is the same the DDOS layer 3 and 4 protection is before the layer 3 and 4 security rules).
  
  https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module5.html
  
  Read the guides for the modules to get the idea also check learnf5 the getting started clips:
  
  https://support.f5.com/csp/article/K73819494
  
  https://www.f5.com/services/training/free-training-courses/getting-started-start-here
- Sushant
  Altostratus
  Jun 14, 2021
  Ok thanks got your point ..Cheers !
- Nikoolayy1
  MVP
  Jun 28, 2021
  Also when working with AFM don't forget the context order and if the firewall is default deny or default allow.
  
  https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-1/2.html
  
  https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-firewall-default-traffic-processing.html
  
  AFM also has nice tools too see if your traffic s getting blocked by the AFM:
  
  https://clouddocs.f5.com/training/community/firewall/html/class1/module2/module2.html