Monday 7 March 2022

**** 𝐅𝟓 𝐁𝐈𝐆-𝐈𝐏 𝐀𝐅𝐌 (𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 𝐌𝐚𝐧𝐚𝐠𝐞𝐫) ****

 One of the most important matters which could be so vital when you want to create your desired Policies and/or Rules (including IPI Policy, DDoS Protection, Firewall Policy, IPS Policy, and NAT Policy) on F5 BIG-IP AFM Module is considering the correct precedence order of TMOS Objects. Additionally, knowing that can help you when you are troubleshooting some issues on different traffic flows...


Here, I am going to clarify the correct precedence order of the most important Objects in AFM Module, as below:

- 𝐈𝐏 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 𝐏𝐨𝐥𝐢𝐜𝐲:
* Global IPI (HW-Accelerated)
* Per-VS IPI (HW-Accelerated)
* Route-domain IPI (SW-based)

- 𝐃𝐃𝐨𝐒 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧:
* Per-VS DoS Profile (HW-Accelerated)
* Device (Global) DoS Protection (HW-Accelerated)

- 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS Rules (SW-based)
* Route-domain Context (SW-based)
* Global Context (SW-based)

- 𝐈𝐏𝐒 𝐏𝐨𝐥𝐢𝐜𝐲 (𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 𝐈𝐧𝐬𝐩𝐞𝐜𝐭𝐢𝐨𝐧 𝐏𝐫𝐨𝐟𝐢𝐥𝐞):
* Per-VS Firewall Policy with IPS Rule (SW-based)
* Per-VS IPS Policy (SW-based)
* Per-RD IPS Policy (SW-based)
* Global IPS Policy (SW-based)

- 𝐍𝐀𝐓 𝐏𝐨𝐥𝐢𝐜𝐲:
* Per-VS NAT Policy (SW-based)
* Per-RD NAT Policy (SW-based)
* Global NAT Policy (SW-based)

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...