By default, AFM firewall is configured in ADC mode, which is a default allow configuration. In ADC mode, all traffic is allowed through the firewall, and any traffic you want to block must be explicitly specified.
To understand this firewall scenario, imagine that your prerequisite system load-balances all traffic from the Internet to several internal servers. The internal servers are:
|Virtual servers||IP address|
|Network virtual server||220.127.116.11/24|
|Application virtual server||192.168.15.101|
In order for traffic from the internal application virtual server to reach the external network virtual server, you must create a VLAN and enable both internal and external virtual servers on it. In this scenario, these VLANs are specified:
|net_ext||Enabled on 18.104.22.168/24, 192.168.15.101|
|net_int||Includes pool members 10.10.1.10, 10.10.1.11|
In this firewall configuration, there are three external networks that require firewall policies:
|22.214.171.124/24||Allow all access|
|126.96.36.199/24||Allow all access|
|188.8.131.52/24||Deny all access|
ADC mode configuration scenario
Such a rule allows ICMPv6 pools to function, when a rule that denies all traffic is added at the end of the rule list in an ADC mode configuration.
When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first: