Extending AFM with iRules

The Advanced Firewall Manager (AFM) is a powerful network security solution in its own right. The policy flexibility in AFM enables the majority of functionality necessary to protect your application...
Published Apr 14, 2016
Version 1.0
AFM
iRules
security
Peter_Baumann's avatar
Peter_Baumann
Icon for Cirrostratus rankCirrostratus
Apr 25, 2018

Now I had the time to test this again.

We have a vCMP with v12.1.3.

AFM Policy attached to VS:

security firewall policy /Common/afm_block_example {
    description "afm block http example"
    rules {
        rule_block_all {
            action drop
            irule /Common/AFM_block_example
        }
    }
}

irule /Common/AFM_block_example:

when FLOW_INIT {

log local0. "FLOW_INIT / ACL_action: [ACL::action]"

    if { [ACL::action] equals "drop" } {
        ACL::action allow
        log local0. "L3/4 FW Policy Disabled"
    }
}
when HTTP_REQUEST {
    HTTP::respond 401 content {BLOCKED: This content is blocked due to export restrictions

    }
    log local0. "401 Block ACL iRule was hit"
    drop
}

What I see in the log:

Apr 25 12:51:59 slot1/f5 info tmm[28247]: Rule /Common/AFM_block_example : FLOW_INIT / ACL_action: 0

HTTP Request is blocked then.

What is wrong here?