One of the most important matters which could be so vital when you want to create your desired Policies and/or Rules (including IPI Policy, DDoS Protection, Firewall Policy, IPS Policy, and NAT Policy) on F5 BIG-IP AFM Module is considering the correct precedence order of TMOS Objects. Additionally, knowing that can help you when you are troubleshooting some issues on different traffic flows...
Here, I am going to clarify the correct precedence order of the most important Objects in AFM Module, as below:
- 𝐈𝐏 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 𝐏𝐨𝐥𝐢𝐜𝐲:
* Global IPI (HW-Accelerated)
* Per-VS IPI (HW-Accelerated)
* Route-domain IPI (SW-based)
- 𝐃𝐃𝐨𝐒 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧:
* Per-VS DoS Profile (HW-Accelerated)
* Device (Global) DoS Protection (HW-Accelerated)
- 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS Rules (SW-based)
* Route-domain Context (SW-based)
* Global Context (SW-based)
- 𝐈𝐏𝐒 𝐏𝐨𝐥𝐢𝐜𝐲 (𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 𝐈𝐧𝐬𝐩𝐞𝐜𝐭𝐢𝐨𝐧 𝐏𝐫𝐨𝐟𝐢𝐥𝐞):
* Per-VS Firewall Policy with IPS Rule (SW-based)
* Per-VS IPS Policy (SW-based)
* Per-RD IPS Policy (SW-based)
* Global IPS Policy (SW-based)
- 𝐍𝐀𝐓 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS NAT Policy (SW-based)
* Per-RD NAT Policy (SW-based)
* Global NAT Policy (SW-based)
No comments:
Post a Comment