Extending AFM with iRules

The Advanced Firewall Manager (AFM) is a powerful network security solution in its own right. The policy flexibility in AFM enables the majority of functionality necessary to protect your application...
Published Apr 14, 2016
Version 1.0
AFM
iRules
security
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Peter_Baumann's avatar
Peter_Baumann
Icon for Cirrostratus rankCirrostratus
Apr 25, 2018

Now I had the time to test this again.

We have a vCMP with v12.1.3.

AFM Policy attached to VS:

security firewall policy /Common/afm_block_example {
    description "afm block http example"
    rules {
        rule_block_all {
            action drop
            irule /Common/AFM_block_example
        }
    }
}

irule /Common/AFM_block_example:

when FLOW_INIT {

log local0. "FLOW_INIT / ACL_action: [ACL::action]"

    if { [ACL::action] equals "drop" } {
        ACL::action allow
        log local0. "L3/4 FW Policy Disabled"
    }
}
when HTTP_REQUEST {
    HTTP::respond 401 content {BLOCKED: This content is blocked due to export restrictions

    }
    log local0. "401 Block ACL iRule was hit"
    drop
}

What I see in the log:

Apr 25 12:51:59 slot1/f5 info tmm[28247]: Rule /Common/AFM_block_example : FLOW_INIT / ACL_action: 0

HTTP Request is blocked then.

What is wrong here?