Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology

Packet Filters

Here’s a textual graph for Packet Filters in BIG-IP, showing how incoming traffic is processed and the precedence order for different components:

-----------------------------------------------------------
|                    [Incoming Traffic]                 |
-----------------------------------------------------------
                             |
                             v
-----------------------------------------------------------
|                    [Packet Filter]                    |
|   - Applies only to incoming traffic.                  |
|   - Filters based on custom expressions using          |
|     tcpdump syntax.                                   |
-----------------------------------------------------------
                             |
                             v
-----------------------------------------------------------
|              [iRule Event "FLOW_INIT"]                |
|   - Defines actions to take when traffic is detected.  |
|   - Executes after Packet Filter.                      |
-----------------------------------------------------------
                             |
                             v
-----------------------------------------------------------
|                   [TMM / AFM]                          |
|   - Traffic Management (TMM) or Advanced Firewall (AFM).|
|   - Further processes the traffic after iRule.         |
-----------------------------------------------------------

                             |
                             v
-----------------------------------------------------------
|                  [Packet Filter Logs]                 |
|   - Logs of filtered traffic are stored in:           |
|     "/var/log/pktfilter"                               |
-----------------------------------------------------------

Explanation of the Graph:

  1. Incoming Traffic: The process starts with incoming traffic that is subject to filtering rules applied at various stages.

  2. Packet Filter: A custom packet filter can be applied using a syntax similar to the tcpdump utility, allowing detailed and flexible control over incoming packets.

  3. iRule Event "FLOW_INIT": After the packet filter, an iRule event called FLOW_INIT can be triggered. This event allows you to define specific actions to handle the traffic, providing greater flexibility in how the traffic is processed.

  4. TMM / AFM: Finally, the traffic is handled by TMM (Traffic Management Microkernel) or AFM (Advanced Firewall Manager), which may perform additional processing, such as applying firewall rules or load balancing decisions.

  5. Packet Filter Logs: Any traffic filtered by the Packet Filter is logged in the /var/log/pktfilter directory, allowing you to review which packets were accepted or dropped.

Precedence Order (Highest to Lowest):

  • Packet Filter Rules: These rules are applied first and have the highest precedence.

  • iRule Event "FLOW_INIT": This event is triggered next, after the packet filter.

  • TMM / AFM: After iRules are processed, the traffic is handled by the TMM/AFM for further management.

PreviousSource IP Address and PORT Translation in BIG-IPNextTraffic / Service Profiles in BIG-IP

Last updated 3 months ago