cancel
Showing results for 
Search instead for 
Did you mean: 

Packet Processing Order

Hi All,

 

I have F5 VM hosted in Azure which is having modules like LTM, DNS, Adv WAF and AFM. Need to know how packet will be processed in this case multiple modules are enabled.

Note: In DNS module only DNS Caching feature is in use there are in Wide IPs configured.

 

Also, please help me where to find to find the bash commands refernce for LTM.

 

Thanks,

Ashish Solanki

1 ACCEPTED SOLUTION

1. Packet Filter

2. AFM

3. FLOW_INIT (An iRule Event i.e. when FLOW_INIT)

4. LTM

5. APM

6. ASM / Adv WAF

 

 

The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level.

 

 

 

 

 

The DNS/GTM module is seperate thing and only if you use the AFM DNS protection (DNS firewall and IPS) then the AFM will be infront of the DNS module (Protocol Security > Security Profiles) or the AFM IPS that may have signatures for DNS attacks.

 

 

 https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-system-dos-protection-an...

 

 

https://support.f5.com/csp/article/K44080215

 

 

 

 

How come only DNS caching is configured? If you have not enabled "GSLB" under the DNS profile for the used listener then the Wide IP will not be used.

 

https://support.f5.com/csp/article/K21520582

 

https://support.f5.com/csp/article/K14510

 

 

Also the DNS Cache if it of transperant type a pool of DNS servers needs to be attached under the DNS Listener/VIP and also "Unhandled Query Actions" needs to be set to Allow (Also check the Wide IP load balancing is not having a load balancing method that stops the sending of data to the other DNS objects if there is no Wide IP match).

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementati...

 

 

Don't ask so many questions at once under a single post, so for the other " refernce for LTM" better open another qustion but first I suggest try to find the answer on your own as F5 has really good documentation.

 

View solution in original post

5 REPLIES 5

1. Packet Filter

2. AFM

3. FLOW_INIT (An iRule Event i.e. when FLOW_INIT)

4. LTM

5. APM

6. ASM / Adv WAF

 

 

The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level.

 

 

 

 

 

The DNS/GTM module is seperate thing and only if you use the AFM DNS protection (DNS firewall and IPS) then the AFM will be infront of the DNS module (Protocol Security > Security Profiles) or the AFM IPS that may have signatures for DNS attacks.

 

 

 https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-system-dos-protection-an...

 

 

https://support.f5.com/csp/article/K44080215

 

 

 

 

How come only DNS caching is configured? If you have not enabled "GSLB" under the DNS profile for the used listener then the Wide IP will not be used.

 

https://support.f5.com/csp/article/K21520582

 

https://support.f5.com/csp/article/K14510

 

 

Also the DNS Cache if it of transperant type a pool of DNS servers needs to be attached under the DNS Listener/VIP and also "Unhandled Query Actions" needs to be set to Allow (Also check the Wide IP load balancing is not having a load balancing method that stops the sending of data to the other DNS objects if there is no Wide IP match).

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementati...

 

 

Don't ask so many questions at once under a single post, so for the other " refernce for LTM" better open another qustion but first I suggest try to find the answer on your own as F5 has really good documentation.

 

Hi Nikoolayy1 " The ASM can block things and inform the AFM so that next time the attack is blocked at the AFM level."

 

Is there any document about what are the things that it can block ? It must probably be for signature based ? If you have any links regarding it please share

 

 

Thanks !

 

 

 

Sorry I added something that a little more related to the ip inteligence as this is even before the AFM (but not before the packet filters as the packet filters are always first) in the order of packet processing and it is for DDOS at layer 7 (asm) or layer 3/4(afm). It means that when the ASM/AFM detect ddos they tell the Ip inteligence to block the source IP. It is called shun list for the ASM and Bad Actor Detection for the AFM.

 

 

https://support.f5.com/csp/article/K49869231

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/4.ht...

 

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-imple...

 

 

 

The ASM bad actor is another feature for auto signature to be generated for bad traffic as the DDOS protection at layer 7 is before the ASM policy evaluation (for the AFM it is the same the DDOS layer 3 and 4 protection is before the layer 3 and 4 security rules).

 

 

 

https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module5.html

 

 

 

 

 

Read the guides for the modules to get the idea also check learnf5 the getting started clips:

 

 

https://support.f5.com/csp/article/K73819494

 

 

https://www.f5.com/services/training/free-training-courses/getting-started-start-here

Ok thanks got your point ..Cheers !

Also when working with AFM don't forget the context order and if the firewall is default deny or default allow.

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-1/2.html

 

 

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-firewall-default-traffic-processing.html

 

 

 

AFM also has nice tools too see if your traffic s getting blocked by the AFM:

 

 

https://clouddocs.f5.com/training/community/firewall/html/class1/module2/module2.html