Manual Chapter : Testing Packets with Firewall IP Intelligence and DoS Rules

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About packet tracing with the AFM Packet Tester

The Packet Tester is a troubleshooting tool that allows a user to inject a packet into the traffic processing of BIG-IP® AFM™ and track the resulting processing by the Network Firewall, DoS prevention settings, and IP Intelligence. If the packet hits an Network Firewall, DoS Protection, or IP Intelligence rule, the rule and rule context is displayed. This allows you to troubleshoot packet issues with certain types of packets, and to check that rules for certain packets are correctly configured.

Task list

Tracing a TCP packet

Before you can trace a TCP packet, you must have BIG-IP® Advanced Firewall Manager™ (AFM) licensed on your system.
You can test a TCP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click Network > Network Security > Packet Tester .
    The Packet Tester screen opens.
  2. From the Protocol list, select TCP.
  3. Select any TCP flags to set in the TCP packet.
    You can select SYN, ACK, RST, URG, PUSH, FIN, or a combination.
  4. For the Source setting, specify the source IP Address from which the test packet should appear to originate.
  5. Specify the source Port from which the test packet should appear to originate.
  6. From the list select the source VLAN from which the test packet should appear to originate.
  7. In the TTL field, specify the time to live for the test packet in seconds.
    The default setting is 255 seconds.
  8. For the Destination setting, specify the destination IP Address to which the test packet should appear to be sent.
  9. In the Destination setting, specify the destination Port to which the test packet should appear to be sent.
  10. In the Trace Options setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  11. In the Trace Options setting, specify whether to trigger logging for the packet, based on the packet test results.
  12. Click Run Trace to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing a UDP packet

Before you can trace a UDP packet, you must have BIG-IP® Advanced Firewall Manager™ (AFM) licensed on your system.
You can test a UDP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click Network > Network Security > Packet Tester .
    The Packet Tester screen opens.
  2. From the Protocol list, select UDP.
  3. For the Source setting, specify the source IP Address from which the test packet should appear to originate.
  4. Specify the source Port from which the test packet should appear to originate.
  5. From the list select the source VLAN from which the test packet should appear to originate.
  6. In the TTL field, specify the time to live for the test packet in seconds.
    The default setting is 255 seconds.
  7. For the Destination setting, specify the destination IP Address to which the test packet should appear to be sent.
  8. In the Destination setting, specify the destination Port to which the test packet should appear to be sent.
  9. In the Trace Options setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the Trace Options setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click Run Trace to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing an SCTP packet

Before you can trace a UDP packet, you must have BIG-IP® Advanced Firewall Manager™ (AFM) licensed on your system.
You can test an SCTP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click Network > Network Security > Packet Tester .
    The Packet Tester screen opens.
  2. From the Protocol list, select SCTP.
  3. For the Source setting, specify the source IP Address from which the test packet should appear to originate.
  4. Specify the source Port from which the test packet should appear to originate.
  5. From the list select the source VLAN from which the test packet should appear to originate.
  6. In the TTL field, specify the time to live for the test packet in seconds.
    The default setting is 255 seconds.
  7. For the Destination setting, specify the destination IP Address to which the test packet should appear to be sent.
  8. In the Destination setting, specify the destination Port to which the test packet should appear to be sent.
  9. In the Trace Options setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the Trace Options setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click Run Trace to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Tracing an ICMP packet

Before you can trace a UDP packet, you must have BIG-IP® Advanced Firewall Manager™ (AFM) licensed on your system.
You can test an ICMP packet to find if it hits a Network Firewall, DoS, or IP Intelligence rule. For purposes of this test, you should test a packet that either represents a type of packet that is currently being dropped (for troubleshooting), or a type of packet you would like to detect with the Network Firewall, DoS rules, or IP Intelligence rules.
  1. On the Main tab, click Network > Network Security > Packet Tester .
    The Packet Tester screen opens.
  2. From the Protocol list, select ICMP.
  3. From the Protocol list, select SCTP.
  4. For the Source setting, specify the source IP Address from which the test packet should appear to originate.
  5. From the list select the source VLAN from which the test packet should appear to originate.
  6. In the TTL field, specify the time to live for the test packet in seconds.
    The default setting is 255 seconds.
  7. For the Destination setting, specify the destination IP Address to which the test packet should appear to be sent.
  8. In the Destination setting, specify the destination Port to which the test packet should appear to be sent.
  9. In the Trace Options setting, specify whether to use the staged network firewall policy for the packet, if one exists.
  10. In the Trace Options setting, specify whether to trigger logging for the packet, based on the packet test results.
  11. Click Run Trace to run the packet test.
The packet trace displays the steps in the packet trace process, and the result of the packet trace.

Packet trace results

These tables show possible results of an AFM packet trace.

Device DoS results

Device DoS result Description
Nominal (Green) The packet matches a vector, but is not categorized as an attack.
Whitelist (Green) The packet matches the DoS whitelist and is allowed.
Anomaly (Yellow) The packet matches an anomaly condition.
Attack (Red) The packet matches a configured attack condition.

Device IP Intelligence results

Device IP Intelligence result Description
No match (Green) The packet does not match an IP Intelligence rule.
Match (Green or Red) The packet matches an IP Intelligence rule and is either allowed or denied.
Whitelist (Green) The packet matches the IP Intelligence whitelist and is allowed..
No Policy (Gray) There is no configured IP intelligence policy for the packet

Device Rules

Device Rules result Description
Match Allow (Green) The packet matches a global firewall rule and is allowed.
Match Reject (Red) The packet matches a global firewall rule and is rejected.
Match Drop (Red) The packet matches a global firewall rule and is dropped.
Match Decisive (Green) The packet matches a global firewall rule and is allowed decisively.
No Policy (Gray) The packet does not match a global firewall rule.

Route Domain IP Intelligence results

Route Domain IP Intelligence result Description
No match (Green) The packet does not match a route domain Intelligence rule.
Match (Green or Red) The packet matches a route domain Intelligence rule and is either allowed or denied.
Whitelist (Green) The packet matches the route domain Intelligence whitelist and is allowed.
No Policy (Gray) There is no configured IP intelligence policy for the packet

Route Domain Rules results

Route Domain Rules result Description
Match Allow (Green) The packet matches a route domain firewall rule and is allowed.
Match Reject (Red) The packet matches a route domain firewall rule and is rejected.
Match Drop (Red) The packet matches a route domain firewall rule and is dropped.
Match Decisive (Green) The packet matches a route domain firewall rule and is allowed decisively.
No Policy (Gray) The packet does not match a route domain firewall rule.

Virtual Server DoS results

Virtual Server DoS result Description
Nominal (Green) The packet matches a virtual server DoS vector, but is not categorized as an attack.
Whitelist (Green) The packet matches the virtual server DoS whitelist and is allowed.
Anomaly (Yellow) The packet matches a virtual server DoS anomaly condition.
Attack (Red) The packet matches a configured virtual server DoS attack condition.
Prior Whitelist (Gray) The packet matches a prior whitelist and is allowed.
No Policy (Gray) No virtual server DoS rule is configured that applies to this packet.

Virtual Server IP Intelligence results

Virtual Server IP Intelligence result Description
No match (Green) The packet does not match a virtual server IP Intelligence rule.
Match (Green or Red) The packet matches a virtual server IP Intelligence rule and is either allowed or denied.
Whitelist (Green) The packet matches the virtual server IP Intelligence whitelist and is allowed.
No Policy (Gray) No virtual server IP intelligence policy is configured that applies to this packet.

Virtual Server Rules results

Virtual Server Rules result Description
Match Allow (Green) The packet matches a virtual server firewall rule and is allowed.
Match Reject (Red) The packet matches a virtual server firewall rule and is rejected.
Match Drop (Red) The packet matches a virtual server firewall rule and is dropped.
Match Decisive (Green) The packet matches a virtual server firewall rule and is allowed decisively.
No Policy (Gray) The packet does not match a virtual server firewall rule.

Default Rule results

Default Rule result Description
Allow (Green) The packet does not match any prior rules, and the default rule is allow, so the packet is allowed.
Reject (Red) The packet does not match any prior rules, and the default rule is reject, so the packet is rejected.
Drop (Red) The packet does not match any prior rules, and the default rule is drop, so the packet is dropped.