The BIG-IP AFM Operations Guide

The BIG-IP Advanced Firewall Manager is an ICSA-certified Firewall that provides critical protection for all of your web applications.  It is built on TMOS (the foundational operating system used by all F5 BIG-IP products), and it can run on any of the F5 Application Delivery Platforms.  

The AFM delivers the most effective network-level security for enterprises and service providers. Whether on-premises or in a software-defined data center, the AFM tracks the state of network sessions, maintains application awareness, and mitigates threats based on more attack details than traditional network firewalls. It also protects your organization from aggressive distributed denial-of-service (DDoS) attacks before they can reach your data center

This operations guide was written by the engineers who design, build, and support the AFM, as well as other F5 professionals who have firsthand experience with this technology.  In this guide you’ll find recommendations, practices, and troubleshooting tips to keep your AFM running at peak efficiency.

This guide provides details on configuration items like packet flow, firewall rules, Network Address Translation, DDoS mitigations, logging, and troubleshooting.  The goal of this guide is to assist customers with keeping their BIG-IP system healthy, optimized, and performing as designed. This guide describes common information technology procedures as well as some that are exclusive to BIG-IP systems. If you have specific questions about how to configure and operate your BIG-IP AFM, take some time to look at this guide and I'm sure you will find some great guidance here.  Enjoy!

 

BIG-IP Advanced Firewall Manager Operations Guide (v12.0)

Published Jun 16, 2016
Version 1.0
  • I was just looking at the August 2017 version of this document, and on page 8 in the section 'Flow Lookup', the document states the following:

     

    The packet process flows in the following sequence:

     

    1. If the BIG-IP platform uses ePVA hardware acceleration and the ow matches the hardware ow table, then the packet is processed and sent directly to egress.
    2. If there is a match on the hardware flow table, the packet is passed on to flow input for post L4 processing, in the direction of egress.

    Should the second reference to the 'hardware flow table' be changed to 'software flow table' or is 2 merely duplicating the content of 1?

     

  • I was just looking at the August 2017 version of this document, and on page 8 in the section 'Flow Lookup', the document states the following:

     

    The packet process flows in the following sequence:

     

    1. If the BIG-IP platform uses ePVA hardware acceleration and the ow matches the hardware ow table, then the packet is processed and sent directly to egress.
    2. If there is a match on the hardware flow table, the packet is passed on to flow input for post L4 processing, in the direction of egress.

    Should the second reference to the 'hardware flow table' be changed to 'software flow table' or is 2 merely duplicating the content of 1?

     

  • @rob_carr, great catch on this, and thanks for the question. i admit that the flow sequence wording on page 8 is a bit confusing. fortunately, the diagram on page 7 is correct and follows the proper flow patterns and logic. so, it's best to just reference the diagram for now. i'm working with the author to update the verbiage in the document, and i'll post an updated version here as soon as it's available. thanks again for the catch!!

     

     

  • Can I also suggest that all arrows pointing at the flow table be changed to the dashed variety, since the flow table isn't actually in the packet flow path?

     

  • Thanks rob_carr! I'll make sure the Ops Guide authors get this feedback.

     

  • @rob_carr, the Ops Guide authors got your feedback and updated the flow lookup sequence verbiage. The links in this article have been updated to reflect the current version of the Ops Guide.